electron 32.1.2

Direct Vulnerabilities

Known vulnerabilities in the electron package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L NULL Pointer Dereference electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to NULL Pointer Dereference in the `clipboard.readImage()` function when processing malformed clipboard image data. An attacker can cause the application to crash by placing invalid image data on the system clipboard and triggering the function. How to fix NULL Pointer Dereference? Upgrade `electron` to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.	<39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5
L Exposure of Resource to Wrong Sphere electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere via the `window.open()` function. An attacker can gain access to or manipulate the browsing context of a window opened by a different renderer by using the same target name, potentially inheriting elevated permissions such as privileged preload scripts or relaxed security settings. This is only exploitable if multiple top-level windows with differing trust levels are opened and `setWindowOpenHandler` is used to grant elevated `webPreferences` to child windows. How to fix Exposure of Resource to Wrong Sphere? Upgrade `electron` to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.	<39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5
M Origin Validation Error electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Origin Validation Error in the `session.setPermissionRequestHandler` function. An attacker can gain unauthorized access to permissions such as `fullscreen`, `pointerLock`, `keyboardLock`, `openExternal`, or `media` by embedding malicious iframes that exploit the incorrect origin parameter passed to the handler. This may result in third-party content being granted permissions intended only for trusted origins. Note: This is only exploitable if the application grants permissions based on the origin parameter or `webContents.getURL()` rather than `details.requestingUrl`. How to fix Origin Validation Error? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0
H Command Injection electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Command Injection in the `app.moveToApplicationsFolder` function on macOS when handling application bundle paths containing certain characters. An attacker can execute arbitrary AppleScript code by crafting a malicious launch path and convincing a user to accept the move-to-Applications prompt. Note: This is only exploitable if the application calls `app.moveToApplicationsFolder()`. How to fix Command Injection? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.0, 41.0.0-beta.8 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.0>=41.0.0-alpha.1 <41.0.0-beta.8
M Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in the `app.setAsDefaultProtocolClient` function. An attacker can gain the ability to write to arbitrary registry subkeys by supplying a crafted protocol name derived from untrusted input. This may allow hijacking of existing protocol handlers. Note: This is only exploitable if the protocol name passed to `app.setAsDefaultProtocolClient` is not hardcoded and is instead derived from external or untrusted sources. How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0
H Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free in the `powerMonitor` function. An attacker can cause memory corruption or application crashes by triggering session-change events on Windows or system shutdown events on macOS after the native object has been garbage-collected, leading to dereferencing of freed memory. How to fix Use After Free? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.0, 41.0.0-beta.8 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.0>=41.0.0-alpha.1 <41.0.0-beta.8
M Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free in the download save dialog callback process. An attacker can cause a crash or memory corruption by triggering session destruction while a native save-file dialog is open and then dismissing the dialog. Note: This is only exploitable if the application allows downloads and programmatically destroys sessions at runtime. How to fix Use After Free? Upgrade `electron` to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.7 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.7
M Insufficient Verification of Data Authenticity electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the `webContents.executeJavaScript` function. An attacker can manipulate the main-process promise to resolve with attacker-controlled data by spoofing reply messages on the internal IPC channel. Note: This is only exploitable if service workers are registered and the result of `webContents.executeJavaScript()` or `webFrameMain.executeJavaScript()` is used in security-sensitive decisions. How to fix Insufficient Verification of Data Authenticity? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0
H Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free via the `session.setPermissionRequestHandler` process. An attacker can cause a crash or memory corruption by triggering a permission request for fullscreen, pointer-lock, or keyboard-lock, and then navigating the requesting frame or closing the window while the permission handler is pending. Note: This is only exploitable if an asynchronous permission request handler is registered and invoked while the request is pending. How to fix Use After Free? Upgrade `electron` to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.8
M Out-of-bounds Read electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Out-of-bounds Read in the `second-instance` event handler when parsing a crafted second-instance message via the `app.requestSingleInstanceLock` process. An attacker can access sensitive memory contents or cause application instability by sending a specially crafted message from another process running as the same user. Note: This is only exploitable if the application calls `app.requestSingleInstanceLock()` and is running on macOS or Linux as the same user. How to fix Out-of-bounds Read? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0
H Improper Isolation or Compartmentalization electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the handling of the `nodeIntegrationInWorker` configuration in shared renderer processes. An attacker can gain unauthorized access to Node.js integration by exploiting process-sharing scenarios where workers in frames configured with `nodeIntegrationInWorker: false` still receive Node.js integration. Note: This is only exploitable if `nodeIntegrationInWorker` is enabled in applications that also open child windows or embed content with differing webPreferences. How to fix Improper Isolation or Compartmentalization? Upgrade `electron` to version 38.8.6, 39.8.4, 40.8.4, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.4>=40.0.0-alpha.2 <40.8.4>=41.0.0-alpha.1 <41.0.0
H Unquoted Search Path or Element electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Unquoted Search Path or Element in the `app.setLoginItemSettings` function on Windows when the executable path is written to the `Run` registry key without proper quoting. An attacker can execute arbitrary code at login by placing a malicious executable in an ancestor directory if the application is installed to a path containing spaces and the attacker has write access to that directory. Note: This is only exploitable if the application is installed in a non-standard location where ancestor directories are not protected against unauthorized writes. How to fix Unquoted Search Path or Element? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.0, 41.0.0-beta.8 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.0>=41.0.0-alpha.1 <41.0.0-beta.8
L Missing Authorization electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Missing Authorization in the `select-usb-device` event callback, which did not validate the chosen device ID against the filtered list presented to the handler. An attacker can gain unauthorized access to USB devices that do not match the intended filters or are listed in exclusion filters by influencing the handler to select a device ID outside the allowed set. Note: This is only exploitable if the application implements unusual device-selection logic that can be manipulated. How to fix Missing Authorization? Upgrade `electron` to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.8
M HTTP Response Splitting electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to HTTP Response Splitting via the `protocol.handle`, `protocol.registerSchemesAsPrivileged`, or `webRequest.onHeadersReceived` functions. An attacker can manipulate HTTP response headers by injecting attacker-controlled input into a response header name or value, potentially allowing the setting of arbitrary headers that affect cookies, content security policy, or cross-origin access controls. Note: This is only exploitable if untrusted external input is reflected into response headers. How to fix HTTP Response Splitting? Upgrade `electron` to version 38.8.6, 39.8.3, 40.8.3, 41.0.3 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.3>=40.0.0-alpha.2 <40.8.3>=41.0.0-alpha.1 <41.0.3
C Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free in the offscreen rendering process when a parent `WebContents` is destroyed while a child window remains open. An attacker can cause memory corruption or application crash by triggering paint frames on the child window that dereference freed memory. Note: This is only exploitable if offscreen rendering is enabled (`webPreferences.offscreen: true`) and the `setWindowOpenHandler` permits child windows. How to fix Use After Free? Upgrade `electron` to version 39.8.1, 40.7.0, 41.0.0 or higher.	<39.8.1>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0
H Hidden Functionality electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Hidden Functionality via the `commandLineSwitches` webPreference. An attacker can inject arbitrary command-line switches into the renderer process by supplying untrusted configuration objects, potentially disabling security controls or sandboxing. Note: This is only exploitable if external or untrusted input is used to construct `webPreferences` without an explicit allowlist. How to fix Hidden Functionality? Upgrade `electron` to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.8
M Arbitrary Code Injection electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Arbitrary Code Injection via modification of the `resources` folder when the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` fuses are enabled. An attacker can execute unauthorized code by altering files within the application directory, bypassing ASAR integrity checks. Note: This is only exploitable if the application is launched from a filesystem to which the attacker has write access. How to fix Arbitrary Code Injection? Upgrade `electron` to version 35.7.5, 36.8.1, 37.3.1, 38.0.0-beta.6 or higher.	<35.7.5>=36.0.0-alpha.1 <36.8.1>=37.0.0-alpha.1 <37.3.1>=38.0.0-alpha.1 <38.0.0-beta.6
H Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free via `MediaStreamTrackImpl`. An attacker can cause heap corruption by enticing a user to visit a specially crafted HTML page. How to fix Use After Free? Upgrade `electron` to version 37.2.6 or higher.	<37.2.6
C Access of Resource Using Incompatible Type ('Type Confusion') electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via the lack of limitation on max inlining ids in `MaglevGraphBuilder`. An attacker can achieve heap corruption and potentially execute arbitrary code by enticing a user to visit a specially crafted HTML page. How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade `electron` to version 37.2.5 or higher.	<37.2.5
H Access of Resource Using Incompatible Type ('Type Confusion') electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via lack of support for escapes in `PreParserIdentifier` V8` process. An attacker can achieve heap corruption by enticing a user to visit a specially crafted HTML page. How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade `electron` to version 37.2.5 or higher.	<37.2.5
H Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free via improper handling of possible socket destruction in `P2PSocketTcpBase`. An attacker can achieve heap corruption and potentially execute arbitrary code by enticing a user to visit a specially crafted HTML page. How to fix Use After Free? Upgrade `electron` to version 37.2.4 or higher.	<37.2.4
M Integer Overflow or Wraparound electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Integer Overflow or Wraparound via an incorrect count being passed to `InstructionAccurateScope` in the V8 engine. An attacker can cause heap corruption by enticing a user to visit a specially crafted HTML page. How to fix Integer Overflow or Wraparound? Upgrade `electron` to version 37.2.4 or higher.	<37.2.4
H Incorrect Calculation of Buffer Size electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Incorrect Calculation of Buffer Size via insufficient validation of untrusted input in `ANGLE` and `GPU`. An attacker can escape the sandbox by submitting a specially crafted HTML page. How to fix Incorrect Calculation of Buffer Size? Upgrade `electron` to version 37.2.4 or higher.	<37.2.4
H Function Call with Incorrectly Specified Arguments electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Function Call with Incorrectly Specified Arguments via an incorrect handle provided in unspecified circumstances in Mojo. An attacker can reflect a broker-initiated transport back to a broker, which ultimately allows for handle leaks if the reflected transport is later used to deserialize another transport containing handles. How to fix Function Call with Incorrectly Specified Arguments? Upgrade `electron` to version 36.3.0 or higher.	<36.3.0
M Information Exposure electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Information Exposure via the `Loader` component. An attacker can leak sensitive cross-origin data by crafting a malicious HTML page. How to fix Information Exposure? Upgrade `electron` to version 36.3.0 or higher.	<36.3.0
M Improper Isolation or Compartmentalization electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization that allows an attacker who can convince a user to follow a malicious link to escape sandbox protections, due to a logic error in the Mojo component. This vulnerability does not enable code execution on its own, but is presumed chainable with another vulnerability to achieve code execution and has been observed in the wild. Note: This vulnerability is only exploitable on Windows. How to fix Improper Isolation or Compartmentalization? Upgrade `electron` to version 33.4.8, 34.4.1, 35.1.2 or higher.	<33.4.8>=34.0.0-alpha.1 <34.4.1>=35.0.0-alpha.1 <35.1.2
H Access of Resource Using Incompatible Type ('Type Confusion') electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') in v8. How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade `electron` to version 33.4.6, 34.3.4 or higher.	<33.4.6>=34.0.0 <34.3.4
H Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free through the V8 engine. How to fix Use After Free? Upgrade `electron` to version 32.3.3, 33.4.3 or higher.	<32.3.3>=33.0.0-alpha.1 <33.4.3
M Heap-based Buffer Overflow electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Heap-based Buffer Overflow in v8, when processing a very large number of parameters. How to fix Heap-based Buffer Overflow? Upgrade `electron` to version 32.3.2, 33.4.2 or higher.	<32.3.2>=33.0.0-alpha.1 <33.4.2
H Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free through the `V8` engine. An attacker can potentially exploit heap corruption by crafting a malicious HTML page. How to fix Use After Free? Upgrade `electron` to version 33.4.3 or higher.	<33.4.3
H Out-of-bounds Write electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Out-of-bounds Write through crafted HTML pages. An attacker can exploit heap corruption by sending a specially crafted HTML page to the victim. How to fix Out-of-bounds Write? Upgrade `electron` to version 32.3.2, 33.4.2 or higher.	<32.3.2>=33.0.0-alpha.1 <33.4.2
H Out-of-bounds Write electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Out-of-bounds Write via a crafted HTML page. An attacker can potentially exploit heap corruption by sending a specially crafted HTML page to the victim. How to fix Out-of-bounds Write? Upgrade `electron` to version 32.3.2, 33.4.2 or higher.	<32.3.2>=33.0.0-alpha.1 <33.4.2
H External Control of Assumed-Immutable Web Parameter electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter due to an integer overflow in the `Skia` component. How to fix External Control of Assumed-Immutable Web Parameter? Upgrade `electron` to version 32.3.0, 33.3.2 or higher.	>=32.0.0 <32.3.0>=33.0.0 <33.3.2
H Out-of-bounds Read electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Out-of-bounds Read through the `Metrics` process. How to fix Out-of-bounds Read? Upgrade `electron` to version 32.3.0, 33.3.2 or higher.	>=32.0.0 <32.3.0>=33.0.0 <33.3.2
C Out-of-bounds Write electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Out-of-bounds Write in V8. How to fix Out-of-bounds Write? Upgrade `electron` to version 32.3.0, 33.3.2 or higher.	>=32.0.0 <32.3.0>=33.0.0 <33.3.2
H Out-of-bounds Write electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Out-of-bounds Write through a crafted HTML page. An attacker can execute arbitrary code inside a sandbox by crafting malicious HTML content. How to fix Out-of-bounds Write? Upgrade `electron` to version 32.3.0 or higher.	<32.3.0
M Access of Resource Using Incompatible Type ('Type Confusion') electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via a crafted HTML page. An attacker can potentially exploit object corruption by manipulating the HTML content. How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade `electron` to version 31.7.7, 32.2.8 or higher.	>=31.0.0 <31.7.7>=32.0.0 <32.2.8
M Access Restriction Bypass electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Access Restriction Bypass due to an inappropriate implementation in the `Extensions` feature. An attacker can bypass site isolation. How to fix Access Restriction Bypass? Upgrade `electron` to version 31.7.5, 32.2.5, 33.2.1 or higher.	<31.7.5>=32.0.0-alpha.1 <32.2.5>=33.0.0 <33.2.1
H Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free via the `Serial` process. An attacker can potentially exploit heap corruption. How to fix Use After Free? Upgrade `electron` to version 31.7.5, 32.2.5 or higher.	<31.7.5>=32.0.0-alpha.1 <32.2.5
M Access of Resource Using Incompatible Type ('Type Confusion') electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via a crafted HTML page. An attacker can potentially exploit heap corruption. How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade `electron` to version 32.2.3 or higher.	<32.2.3
H Improper Access Control electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Improper Access Control due to an inappropriate implementation in Extensions. An attacker can bypass site isolation. How to fix Improper Access Control? Upgrade `electron` to version 31.7.4, 32.2.3 or higher.	<31.7.4>=32.0.0 <32.2.3
M Access of Resource Using Incompatible Type ('Type Confusion') electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via a crafted HTML page. An attacker can potentially exploit heap corruption. How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade `electron` to version 31.7.4, 32.2.3 or higher.	<31.7.4>=32.0.0 <32.2.3
H Out-of-bounds Write electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Out-of-bounds Write in Dawn. How to fix Out-of-bounds Write? Upgrade `electron` to version 31.7.4, 32.2.3 or higher.	<31.7.4>=32.0.0 <32.2.3
H Type Confusion electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Type Confusion in v8 engine. How to fix Type Confusion? Upgrade `electron` to version 32.3.0 or higher.	<32.3.0

Vulnerability

Vulnerable Version

NULL Pointer Dereference

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to NULL Pointer Dereference in the clipboard.readImage() function when processing malformed clipboard image data. An attacker can cause the application to crash by placing invalid image data on the system clipboard and triggering the function.

How to fix NULL Pointer Dereference?

Upgrade electron to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.

<39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5

Exposure of Resource to Wrong Sphere

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere via the window.open() function. An attacker can gain access to or manipulate the browsing context of a window opened by a different renderer by using the same target name, potentially inheriting elevated permissions such as privileged preload scripts or relaxed security settings. This is only exploitable if multiple top-level windows with differing trust levels are opened and setWindowOpenHandler is used to grant elevated webPreferences to child windows.

How to fix Exposure of Resource to Wrong Sphere?

Upgrade electron to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.

<39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5

Origin Validation Error

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Origin Validation Error in the session.setPermissionRequestHandler function. An attacker can gain unauthorized access to permissions such as fullscreen, pointerLock, keyboardLock, openExternal, or media by embedding malicious iframes that exploit the incorrect origin parameter passed to the handler. This may result in third-party content being granted permissions intended only for trusted origins.

Note:

This is only exploitable if the application grants permissions based on the origin parameter or webContents.getURL() rather than details.requestingUrl.

How to fix Origin Validation Error?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0

Command Injection

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Command Injection in the app.moveToApplicationsFolder function on macOS when handling application bundle paths containing certain characters. An attacker can execute arbitrary AppleScript code by crafting a malicious launch path and convincing a user to accept the move-to-Applications prompt.

Note:

This is only exploitable if the application calls app.moveToApplicationsFolder().

How to fix Command Injection?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.0, 41.0.0-beta.8 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.0>=41.0.0-alpha.1 <41.0.0-beta.8

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in the app.setAsDefaultProtocolClient function. An attacker can gain the ability to write to arbitrary registry subkeys by supplying a crafted protocol name derived from untrusted input. This may allow hijacking of existing protocol handlers.

Note:

This is only exploitable if the protocol name passed to app.setAsDefaultProtocolClient is not hardcoded and is instead derived from external or untrusted sources.

How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the powerMonitor function. An attacker can cause memory corruption or application crashes by triggering session-change events on Windows or system shutdown events on macOS after the native object has been garbage-collected, leading to dereferencing of freed memory.

How to fix Use After Free?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.0, 41.0.0-beta.8 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.0>=41.0.0-alpha.1 <41.0.0-beta.8

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the download save dialog callback process. An attacker can cause a crash or memory corruption by triggering session destruction while a native save-file dialog is open and then dismissing the dialog.

Note:

This is only exploitable if the application allows downloads and programmatically destroys sessions at runtime.

How to fix Use After Free?

Upgrade electron to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.7 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.7

Insufficient Verification of Data Authenticity

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the webContents.executeJavaScript function. An attacker can manipulate the main-process promise to resolve with attacker-controlled data by spoofing reply messages on the internal IPC channel.

Note:

This is only exploitable if service workers are registered and the result of webContents.executeJavaScript() or webFrameMain.executeJavaScript() is used in security-sensitive decisions.

How to fix Insufficient Verification of Data Authenticity?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the session.setPermissionRequestHandler process. An attacker can cause a crash or memory corruption by triggering a permission request for fullscreen, pointer-lock, or keyboard-lock, and then navigating the requesting frame or closing the window while the permission handler is pending.

Note:

This is only exploitable if an asynchronous permission request handler is registered and invoked while the request is pending.

How to fix Use After Free?

Upgrade electron to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.8

Out-of-bounds Read

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read in the second-instance event handler when parsing a crafted second-instance message via the app.requestSingleInstanceLock process. An attacker can access sensitive memory contents or cause application instability by sending a specially crafted message from another process running as the same user.

Note:

This is only exploitable if the application calls app.requestSingleInstanceLock() and is running on macOS or Linux as the same user.

How to fix Out-of-bounds Read?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0

Improper Isolation or Compartmentalization

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the handling of the nodeIntegrationInWorker configuration in shared renderer processes. An attacker can gain unauthorized access to Node.js integration by exploiting process-sharing scenarios where workers in frames configured with nodeIntegrationInWorker: false still receive Node.js integration.

Note:

This is only exploitable if nodeIntegrationInWorker is enabled in applications that also open child windows or embed content with differing webPreferences.

How to fix Improper Isolation or Compartmentalization?

Upgrade electron to version 38.8.6, 39.8.4, 40.8.4, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.4>=40.0.0-alpha.2 <40.8.4>=41.0.0-alpha.1 <41.0.0

Unquoted Search Path or Element

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Unquoted Search Path or Element in the app.setLoginItemSettings function on Windows when the executable path is written to the Run registry key without proper quoting. An attacker can execute arbitrary code at login by placing a malicious executable in an ancestor directory if the application is installed to a path containing spaces and the attacker has write access to that directory.

Note:

This is only exploitable if the application is installed in a non-standard location where ancestor directories are not protected against unauthorized writes.

How to fix Unquoted Search Path or Element?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.0, 41.0.0-beta.8 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.0>=41.0.0-alpha.1 <41.0.0-beta.8

Missing Authorization

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Missing Authorization in the select-usb-device event callback, which did not validate the chosen device ID against the filtered list presented to the handler. An attacker can gain unauthorized access to USB devices that do not match the intended filters or are listed in exclusion filters by influencing the handler to select a device ID outside the allowed set.

Note:

This is only exploitable if the application implements unusual device-selection logic that can be manipulated.

How to fix Missing Authorization?

Upgrade electron to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.8

HTTP Response Splitting

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to HTTP Response Splitting via the protocol.handle, protocol.registerSchemesAsPrivileged, or webRequest.onHeadersReceived functions. An attacker can manipulate HTTP response headers by injecting attacker-controlled input into a response header name or value, potentially allowing the setting of arbitrary headers that affect cookies, content security policy, or cross-origin access controls.

Note:

This is only exploitable if untrusted external input is reflected into response headers.

How to fix HTTP Response Splitting?

Upgrade electron to version 38.8.6, 39.8.3, 40.8.3, 41.0.3 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.3>=40.0.0-alpha.2 <40.8.3>=41.0.0-alpha.1 <41.0.3

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the offscreen rendering process when a parent WebContents is destroyed while a child window remains open. An attacker can cause memory corruption or application crash by triggering paint frames on the child window that dereference freed memory.

Note:

This is only exploitable if offscreen rendering is enabled (webPreferences.offscreen: true) and the setWindowOpenHandler permits child windows.

How to fix Use After Free?

Upgrade electron to version 39.8.1, 40.7.0, 41.0.0 or higher.

<39.8.1>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0

Hidden Functionality

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Hidden Functionality via the commandLineSwitches webPreference. An attacker can inject arbitrary command-line switches into the renderer process by supplying untrusted configuration objects, potentially disabling security controls or sandboxing.

Note:

This is only exploitable if external or untrusted input is used to construct webPreferences without an explicit allowlist.

How to fix Hidden Functionality?

Upgrade electron to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.8

Arbitrary Code Injection

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Arbitrary Code Injection via modification of the resources folder when the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses are enabled. An attacker can execute unauthorized code by altering files within the application directory, bypassing ASAR integrity checks.

Note: This is only exploitable if the application is launched from a filesystem to which the attacker has write access.

How to fix Arbitrary Code Injection?

Upgrade electron to version 35.7.5, 36.8.1, 37.3.1, 38.0.0-beta.6 or higher.

<35.7.5>=36.0.0-alpha.1 <36.8.1>=37.0.0-alpha.1 <37.3.1>=38.0.0-alpha.1 <38.0.0-beta.6

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via MediaStreamTrackImpl. An attacker can cause heap corruption by enticing a user to visit a specially crafted HTML page.

How to fix Use After Free?

Upgrade electron to version 37.2.6 or higher.

<37.2.6

Access of Resource Using Incompatible Type ('Type Confusion')

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via the lack of limitation on max inlining ids in MaglevGraphBuilder. An attacker can achieve heap corruption and potentially execute arbitrary code by enticing a user to visit a specially crafted HTML page.

How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

Upgrade electron to version 37.2.5 or higher.

<37.2.5

Access of Resource Using Incompatible Type ('Type Confusion')

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via lack of support for escapes in PreParserIdentifier V8` process. An attacker can achieve heap corruption by enticing a user to visit a specially crafted HTML page.

How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

Upgrade electron to version 37.2.5 or higher.

<37.2.5

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via improper handling of possible socket destruction in P2PSocketTcpBase. An attacker can achieve heap corruption and potentially execute arbitrary code by enticing a user to visit a specially crafted HTML page.

How to fix Use After Free?

Upgrade electron to version 37.2.4 or higher.

<37.2.4

Integer Overflow or Wraparound

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via an incorrect count being passed to InstructionAccurateScope in the V8 engine. An attacker can cause heap corruption by enticing a user to visit a specially crafted HTML page.

How to fix Integer Overflow or Wraparound?

Upgrade electron to version 37.2.4 or higher.

<37.2.4

Incorrect Calculation of Buffer Size

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Incorrect Calculation of Buffer Size via insufficient validation of untrusted input in ANGLE and GPU. An attacker can escape the sandbox by submitting a specially crafted HTML page.

How to fix Incorrect Calculation of Buffer Size?

Upgrade electron to version 37.2.4 or higher.

<37.2.4

Function Call with Incorrectly Specified Arguments

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Function Call with Incorrectly Specified Arguments via an incorrect handle provided in unspecified circumstances in Mojo. An attacker can reflect a broker-initiated transport back to a broker, which ultimately allows for handle leaks if the reflected transport is later used to deserialize another transport containing handles.

How to fix Function Call with Incorrectly Specified Arguments?

Upgrade electron to version 36.3.0 or higher.

<36.3.0

Information Exposure

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Information Exposure via the Loader component. An attacker can leak sensitive cross-origin data by crafting a malicious HTML page.

How to fix Information Exposure?

Upgrade electron to version 36.3.0 or higher.

<36.3.0

Improper Isolation or Compartmentalization

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization that allows an attacker who can convince a user to follow a malicious link to escape sandbox protections, due to a logic error in the Mojo component. This vulnerability does not enable code execution on its own, but is presumed chainable with another vulnerability to achieve code execution and has been observed in the wild.

Note: This vulnerability is only exploitable on Windows.

How to fix Improper Isolation or Compartmentalization?

Upgrade electron to version 33.4.8, 34.4.1, 35.1.2 or higher.

<33.4.8>=34.0.0-alpha.1 <34.4.1>=35.0.0-alpha.1 <35.1.2

Access of Resource Using Incompatible Type ('Type Confusion')

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') in v8.

How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

Upgrade electron to version 33.4.6, 34.3.4 or higher.

<33.4.6>=34.0.0 <34.3.4

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the V8 engine.

How to fix Use After Free?

Upgrade electron to version 32.3.3, 33.4.3 or higher.

<32.3.3>=33.0.0-alpha.1 <33.4.3

Heap-based Buffer Overflow

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow in v8, when processing a very large number of parameters.

How to fix Heap-based Buffer Overflow?

Upgrade electron to version 32.3.2, 33.4.2 or higher.

<32.3.2>=33.0.0-alpha.1 <33.4.2

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free through the V8 engine. An attacker can potentially exploit heap corruption by crafting a malicious HTML page.

How to fix Use After Free?

Upgrade electron to version 33.4.3 or higher.

<33.4.3

Out-of-bounds Write

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write through crafted HTML pages. An attacker can exploit heap corruption by sending a specially crafted HTML page to the victim.

How to fix Out-of-bounds Write?

Upgrade electron to version 32.3.2, 33.4.2 or higher.

<32.3.2>=33.0.0-alpha.1 <33.4.2

Out-of-bounds Write

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write via a crafted HTML page. An attacker can potentially exploit heap corruption by sending a specially crafted HTML page to the victim.

How to fix Out-of-bounds Write?

Upgrade electron to version 32.3.2, 33.4.2 or higher.

<32.3.2>=33.0.0-alpha.1 <33.4.2

External Control of Assumed-Immutable Web Parameter

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to External Control of Assumed-Immutable Web Parameter due to an integer overflow in the Skia component.

How to fix External Control of Assumed-Immutable Web Parameter?

Upgrade electron to version 32.3.0, 33.3.2 or higher.

>=32.0.0 <32.3.0>=33.0.0 <33.3.2

Out-of-bounds Read

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read through the Metrics process.

How to fix Out-of-bounds Read?

Upgrade electron to version 32.3.0, 33.3.2 or higher.

>=32.0.0 <32.3.0>=33.0.0 <33.3.2

Out-of-bounds Write

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write in V8.

How to fix Out-of-bounds Write?

Upgrade electron to version 32.3.0, 33.3.2 or higher.

>=32.0.0 <32.3.0>=33.0.0 <33.3.2

Out-of-bounds Write

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write through a crafted HTML page. An attacker can execute arbitrary code inside a sandbox by crafting malicious HTML content.

How to fix Out-of-bounds Write?

Upgrade electron to version 32.3.0 or higher.

<32.3.0

Access of Resource Using Incompatible Type ('Type Confusion')

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via a crafted HTML page. An attacker can potentially exploit object corruption by manipulating the HTML content.

How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

Upgrade electron to version 31.7.7, 32.2.8 or higher.

>=31.0.0 <31.7.7>=32.0.0 <32.2.8

Access Restriction Bypass

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access Restriction Bypass due to an inappropriate implementation in the Extensions feature. An attacker can bypass site isolation.

How to fix Access Restriction Bypass?

Upgrade electron to version 31.7.5, 32.2.5, 33.2.1 or higher.

<31.7.5>=32.0.0-alpha.1 <32.2.5>=33.0.0 <33.2.1

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the Serial process. An attacker can potentially exploit heap corruption.

How to fix Use After Free?

Upgrade electron to version 31.7.5, 32.2.5 or higher.

<31.7.5>=32.0.0-alpha.1 <32.2.5

Access of Resource Using Incompatible Type ('Type Confusion')

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via a crafted HTML page. An attacker can potentially exploit heap corruption.

How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

Upgrade electron to version 32.2.3 or higher.

<32.2.3

Improper Access Control

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Access Control due to an inappropriate implementation in Extensions. An attacker can bypass site isolation.

How to fix Improper Access Control?

Upgrade electron to version 31.7.4, 32.2.3 or higher.

<31.7.4>=32.0.0 <32.2.3

Access of Resource Using Incompatible Type ('Type Confusion')

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via a crafted HTML page. An attacker can potentially exploit heap corruption.

How to fix Access of Resource Using Incompatible Type ('Type Confusion')?

Upgrade electron to version 31.7.4, 32.2.3 or higher.

<31.7.4>=32.0.0 <32.2.3

Out-of-bounds Write

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Write in Dawn.

How to fix Out-of-bounds Write?

Upgrade electron to version 31.7.4, 32.2.3 or higher.

<31.7.4>=32.0.0 <32.2.3

Type Confusion

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Type Confusion in v8 engine.

How to fix Type Confusion?

Upgrade electron to version 32.3.0 or higher.

<32.3.0

electron@32.1.2

Build cross platform desktop apps with JavaScript, HTML, and CSS

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically