Update dependency electron to v39 [SECURITY]#45
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
Conversation
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
8856797 to
341b53c
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
341b53c to
fe9a170
Compare
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
fe9a170 to
a661643
Compare
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
a661643 to
fdd7b20
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
fdd7b20 to
d6c18a9
Compare
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
d6c18a9 to
ad9be40
Compare
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
ad9be40 to
78fc7f4
Compare
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
78fc7f4 to
471d43e
Compare
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
471d43e to
ed6e122
Compare
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
ed6e122 to
e39382c
Compare
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
e39382c to
2225f3e
Compare
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
2225f3e to
06781cd
Compare
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
06781cd to
4bac8e9
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
3 times, most recently
from
cc6d3cd to
f704944
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
f704944 to
6cc27a8
Compare
renovate
Bot
changed the title
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
2 times, most recently
from
6cc27a8 to
096d3be
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
12.0.2→39.8.5Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API
CVE-2021-39184 / GHSA-mpjm-v997-c4h4
More information
Details
Impact
This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.
All current stable versions of Electron are affected.
Patches
This was fixed with #30728, and the following Electron versions contain the fix:
Workarounds
If your app enables
contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.Further, if your app does not depend on the
createThumbnailFromPathAPI, then you can simply disable the functionality. In the main process, before the 'ready' event:For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Renderers can obtain access to random bluetooth device without permission in Electron
CVE-2022-21718 / GHSA-3p22-ghq8-v749
More information
Details
Impact
This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom
select-bluetooth-deviceevent handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.All current stable versions of Electron are affected.
Patches
This has been patched and the following Electron versions contain the fix:
17.0.0-alpha.616.0.615.3.514.2.413.6.6Workarounds
Adding this code to your app can workaround the issue.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Severity
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled
CVE-2022-29247 / GHSA-mq8j-3h7h-p8g7
More information
Details
Impact
This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with
nodeIntegrationInSubFramesenabled which in turn allows effective access toipcRenderer.Please note the misleadingly named
nodeIntegrationInSubFramesoption does not implicitly grant Node.js access rather it depends on the existingsandboxsetting. If your application is sandboxed thennodeIntegrationInSubFramesjust gives access to the sandboxed renderer APIs (which includesipcRenderer).If your application then additionally exposes IPC messages without IPC
senderFramevalidation that perform privileged actions or return confidential data this access toipcRenderercan in turn compromise your application / user even with the sandbox enabled.Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.617.2.016.2.615.5.5Workarounds
Ensure that all IPC message handlers appropriately validate
senderFrameas per our security tutorial here.For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Severity
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
AutoUpdater module fails to validate certain nested components of the bundle
CVE-2022-29257 / GHSA-77xc-hjv8-ww97
More information
Details
Impact
This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.
Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.
Patches
This has been patched and the following Electron versions contain the fix:
18.0.0-beta.617.2.016.2.015.5.0Workarounds
There are no workarounds for this issue, please update to a patched version of Electron.
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
Severity
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Exfiltration of hashed SMB credentials on Windows via file:// redirect
CVE-2022-36077 / GHSA-p2jh-44qj-pf2v
More information
Details
Impact
When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as
file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.Patches
This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:
We recommend all apps upgrade to the latest stable version of Electron.
Workarounds
If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the
WebContents.on('will-redirect')event, for all WebContents:For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Credit
Thanks to user @coolcoolnoworries for reporting this issue.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron vulnerable to out-of-package code execution when launched with arbitrary cwd
CVE-2023-39956 / GHSA-7x97-j373-85x5
More information
Details
Impact
Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as
myapp --helpSpecifically this issue can only be exploited if the following conditions are met:
This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.
Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
26.0.0-beta.1325.5.024.7.123.3.1322.3.19For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron affected by libvpx's heap buffer overflow in vp8 encoding
CVE-2023-5217 / GHSA-qqvq-6xgj-jw8g
More information
Details
Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
ASAR Integrity bypass via filetype confusion in electron
CVE-2023-44402 / GHSA-7m48-wc93-9g85
More information
Details
Impact
This only impacts apps that have the
embeddedAsarIntegrityValidationandonlyLoadAppFromAsarfuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the
resourcesfolder in your app installation on Windows which these fuses are supposed to protect against.Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
27.0.0-alpha.726.2.125.8.124.8.322.3.24For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron vulnerable to Heap Buffer Overflow in NativeImage
CVE-2024-46993 / GHSA-6r2x-8pq8-9489
More information
Details
Impact
The
nativeImage.createFromPath()andnativeImage.createFromBuffer()functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents.Workaround
There are no app-side workarounds for this issue. You must update your Electron version to be protected.
Patches
v28.3.2v29.3.3v30.0.3For More Information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Severity
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron has ASAR Integrity Bypass via resource modification
CVE-2025-55305 / GHSA-vmqv-hx8q-j7mg
More information
Details
Impact
This only impacts apps that have the
embeddedAsarIntegrityValidationandonlyLoadAppFromAsarfuses enabled. Apps without these fuses enabled are not impacted.Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the
resourcesfolder in your app installation on Windows which these fuses are supposed to protect against.Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
38.0.0-beta.637.3.136.8.135.7.5For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
Severity
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
CVE-2026-34767 / GHSA-4p4r-m79c-wq3v
More information
Details
Impact
Apps that register custom protocol handlers via
protocol.handle()/protocol.registerSchemesAsPrivileged()or modify response headers viawebRequest.onHeadersReceivedmay be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.
Apps that do not reflect external input into response headers are not affected.
Workarounds
Validate or sanitize any untrusted input before including it in a response header name or value.
Fixed Versions
41.0.340.8.339.8.338.8.6For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: USB device selection not validated against filtered device list
CVE-2026-34766 / GHSA-9899-m83m-qhpj
More information
Details
Impact
The
select-usb-deviceevent callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requestedfiltersor was listed inexclusionFilters.The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic.
Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.840.7.039.8.038.8.6For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
Severity
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: Unquoted executable path in app.setLoginItemSettings on Windows
CVE-2026-34768 / GHSA-jfqx-fxh3-c62j
More information
Details
Impact
On Windows,
app.setLoginItemSettings({openAtLogin: true})wrote the executable path to theRunregistry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.
Workarounds
Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.
Fixed Versions
41.0.0-beta.840.8.039.8.138.8.6For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
Severity
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: Use-after-free in PowerMonitor on Windows and macOS
CVE-2026-34770 / GHSA-jjp3-mq3x-295m
More information
Details
Impact
Apps that use the
powerMonitormodule may be vulnerable to a use-after-free. After the nativePowerMonitorobject is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.All apps that access
powerMonitorevents (suspend,resume,lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable.Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.840.8.039.8.138.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Severity
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
CVE-2026-34769 / GHSA-9wfr-w7mm-pc7f
More information
Details
Impact
An undocumented
commandLineSwitcheswebPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that constructwebPreferencesby spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.Apps are only affected if they construct
webPreferencesfrom external or untrusted input without an allowlist. Apps that use a fixed, hardcodedwebPreferencesobject are not affected.Workarounds
Do not spread untrusted input into
webPreferences. Use an explicit allowlist of permitted preference keys when constructingBrowserWindoworwebContentsoptions from external configuration.Fixed Versions
41.0.0-beta.840.7.039.8.038.8.6For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
Severity
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks
CVE-2026-34771 / GHSA-8337-3p73-46f4
More information
Details
Impact
Apps that register an asynchronous
session.setPermissionRequestHandler()may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback dereferences freed memory, which may lead to a crash or memory corruption.Apps that do not set a permission request handler, or whose handler responds synchronously, are not affected.
Workarounds
Respond to permission requests synchronously, or deny fullscreen, pointer-lock, and keyboard-lock requests if an asynchronous flow is required.
Fixed Versions
41.0.0-beta.840.7.039.8.038.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: Use-after-free in download save dialog callback
CVE-2026-34772 / GHSA-9w97-2464-8783
More information
Details
Impact
Apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption.
Apps that do not destroy sessions at runtime, or that do not permit downloads, are not affected.
Workarounds
Avoid destroying sessions while a download save dialog may be open. Cancel pending downloads before session teardown.
Fixed Versions
41.0.0-beta.740.7.039.8.038.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Severity
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows
CVE-2026-34773 / GHSA-mwmh-mq4g-g6gr
More information
Details
Impact
On Windows,
app.setAsDefaultProtocolClient(protocol)did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys underHKCU\Software\Classes\, potentially hijacking existing protocol handlers.Apps are only affected if they call
app.setAsDefaultProtocolClient()with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.Workarounds
Validate the protocol name matches
/^[a-zA-Z][a-zA-Z0-9+.-]*$/before passing it toapp.setAsDefaultProtocolClient().Fixed Versions
41.0.040.8.139.8.138.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Severity
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
CVE-2026-34775 / GHSA-xwr5-m59h-vwqr
More information
Details
Impact
The
nodeIntegrationInWorkerwebPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured withnodeIntegrationInWorker: falsecould still receive Node.js integration.Apps are only affected if they enable
nodeIntegrationInWorker. Apps that do not usenodeIntegrationInWorkerare not affected.Workarounds
Avoid enabling
nodeIntegrationInWorkerin apps that also open child windows or embed content with differing webPreferences.Fixed Versions
41.0.040.8.439.8.438.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: Use-after-free in offscreen child window paint callback
CVE-2026-34774 / GHSA-532v-xpq5-8h95
More information
Details
Impact
Apps that use offscreen rendering and allow child windows via
window.open()may be vulnerable to a use-after-free. If the parent offscreenWebContentsis destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption.Apps are only affected if they use offscreen rendering (
webPreferences.offscreen: true) and theirsetWindowOpenHandlerpermits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected.Workarounds
Deny child window creation from offscreen renderers in your
setWindowOpenHandler, or ensure child windows are closed before the parent is destroyed.Fixed Versions
41.0.040.7.039.8.1For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: Incorrect origin passed to permission request handler for iframe requests
CVE-2026-34777 / GHSA-r5p7-gp4j-qhrx
More information
Details
Impact
When an iframe requests
fullscreen,pointerLock,keyboardLock,openExternal, ormediapermissions, the origin passed tosession.setPermissionRequestHandler()was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter orwebContents.getURL()may inadvertently grant permissions to embedded third-party content.The correct requesting URL remains available via
details.requestingUrl. Apps that already checkdetails.requestingUrlare not affected.Workarounds
In your
setPermissionRequestHandler, inspectdetails.requestingUrlrather than the origin parameter orwebContents.getURL()when deciding whether to grantfullscreen,pointerLock,keyboardLock,openExternal, ormediapermissions.Fixed Versions
41.0.040.8.139.8.138.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: Out-of-bounds read in second-instance IPC on macOS and Linux
CVE-2026-34776 / GHSA-3c8v-cfp5-9885
More information
Details
Impact
On macOS and Linux, apps that call
app.requestSingleInstanceLock()were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app'ssecond-instanceevent handler.This issue is limited to processes running as the same user as the Electron app.
Apps that do not call
app.requestSingleInstanceLock()are not affected. Windows is not affected by this issue.Workarounds
There are no app side workarounds, developers must update to a patched version of Electron.
Fixed Versions
41.0.040.8.139.8.138.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Severity
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: Service worker can spoof executeJavaScript IPC replies
CVE-2026-34778 / GHSA-xj5x-m3f3-5x3h
More information
Details
Impact
A service worker running in a session could spoof reply messages on the internal IPC channel used by
webContents.executeJavaScript()and related methods, causing the main-process promise to resolve with attacker-controlled data.Apps are only affected if they have service workers registered and use the result of
webContents.executeJavaScript()(orwebFrameMain.executeJavaScript()) in security-sensitive decisions.Workarounds
Do not trust the return value of
webContents.executeJavaScript()for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.Fixed Versions
41.0.040.8.139.8.138.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
CVE-2026-34779 / GHSA-5rqw-r77c-jp79
More information
Details
Impact
On macOS,
app.moveToApplicationsFolder()used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt.Apps are only affected if they call
app.moveToApplicationsFolder(). Apps that do not use this API are not affected.Workarounds
There are no app side workarounds, developers must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.840.8.039.8.138.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Severity
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Electron: Crash in clipboard.readImage() on malformed clipboard image data
CVE-2026-34781 / GHSA-f37v-82c4-4x64
More information
Details
Impact
Apps that call
clipboard.readImage()may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process.Apps are only affected if they call
clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution.Workarounds
Validate that the clipboard c