electron 39.5.1

Direct Vulnerabilities

Known vulnerabilities in the electron package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L NULL Pointer Dereference electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to NULL Pointer Dereference in the `clipboard.readImage()` function when processing malformed clipboard image data. An attacker can cause the application to crash by placing invalid image data on the system clipboard and triggering the function. How to fix NULL Pointer Dereference? Upgrade `electron` to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.	<39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5
L Exposure of Resource to Wrong Sphere electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere via the `window.open()` function. An attacker can gain access to or manipulate the browsing context of a window opened by a different renderer by using the same target name, potentially inheriting elevated permissions such as privileged preload scripts or relaxed security settings. This is only exploitable if multiple top-level windows with differing trust levels are opened and `setWindowOpenHandler` is used to grant elevated `webPreferences` to child windows. How to fix Exposure of Resource to Wrong Sphere? Upgrade `electron` to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.	<39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5
L Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free in the `release` callback of the `paint` event, when offscreen rendering with GPU shared textures is enabled. An attacker can cause a crash or memory corruption by invoking the callback after its backing native state has been freed. Note: This is only exploitable if offscreen rendering is used with `webPreferences.offscreen: { useSharedTexture: true }` enabled. How to fix Use After Free? Upgrade `electron` to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.	>=33.0.0-alpha.1 <39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5
M Origin Validation Error electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Origin Validation Error in the `session.setPermissionRequestHandler` function. An attacker can gain unauthorized access to permissions such as `fullscreen`, `pointerLock`, `keyboardLock`, `openExternal`, or `media` by embedding malicious iframes that exploit the incorrect origin parameter passed to the handler. This may result in third-party content being granted permissions intended only for trusted origins. Note: This is only exploitable if the application grants permissions based on the origin parameter or `webContents.getURL()` rather than `details.requestingUrl`. How to fix Origin Validation Error? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0
H Command Injection electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Command Injection in the `app.moveToApplicationsFolder` function on macOS when handling application bundle paths containing certain characters. An attacker can execute arbitrary AppleScript code by crafting a malicious launch path and convincing a user to accept the move-to-Applications prompt. Note: This is only exploitable if the application calls `app.moveToApplicationsFolder()`. How to fix Command Injection? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.0, 41.0.0-beta.8 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.0>=41.0.0-alpha.1 <41.0.0-beta.8
M Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in the `app.setAsDefaultProtocolClient` function. An attacker can gain the ability to write to arbitrary registry subkeys by supplying a crafted protocol name derived from untrusted input. This may allow hijacking of existing protocol handlers. Note: This is only exploitable if the protocol name passed to `app.setAsDefaultProtocolClient` is not hardcoded and is instead derived from external or untrusted sources. How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0
H Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free in the `powerMonitor` function. An attacker can cause memory corruption or application crashes by triggering session-change events on Windows or system shutdown events on macOS after the native object has been garbage-collected, leading to dereferencing of freed memory. How to fix Use After Free? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.0, 41.0.0-beta.8 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.0>=41.0.0-alpha.1 <41.0.0-beta.8
M Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free in the download save dialog callback process. An attacker can cause a crash or memory corruption by triggering session destruction while a native save-file dialog is open and then dismissing the dialog. Note: This is only exploitable if the application allows downloads and programmatically destroys sessions at runtime. How to fix Use After Free? Upgrade `electron` to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.7 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.7
M Insufficient Verification of Data Authenticity electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the `webContents.executeJavaScript` function. An attacker can manipulate the main-process promise to resolve with attacker-controlled data by spoofing reply messages on the internal IPC channel. Note: This is only exploitable if service workers are registered and the result of `webContents.executeJavaScript()` or `webFrameMain.executeJavaScript()` is used in security-sensitive decisions. How to fix Insufficient Verification of Data Authenticity? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0
H Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free via the `session.setPermissionRequestHandler` process. An attacker can cause a crash or memory corruption by triggering a permission request for fullscreen, pointer-lock, or keyboard-lock, and then navigating the requesting frame or closing the window while the permission handler is pending. Note: This is only exploitable if an asynchronous permission request handler is registered and invoked while the request is pending. How to fix Use After Free? Upgrade `electron` to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.8
M Out-of-bounds Read electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Out-of-bounds Read in the `second-instance` event handler when parsing a crafted second-instance message via the `app.requestSingleInstanceLock` process. An attacker can access sensitive memory contents or cause application instability by sending a specially crafted message from another process running as the same user. Note: This is only exploitable if the application calls `app.requestSingleInstanceLock()` and is running on macOS or Linux as the same user. How to fix Out-of-bounds Read? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0
H Improper Isolation or Compartmentalization electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the handling of the `nodeIntegrationInWorker` configuration in shared renderer processes. An attacker can gain unauthorized access to Node.js integration by exploiting process-sharing scenarios where workers in frames configured with `nodeIntegrationInWorker: false` still receive Node.js integration. Note: This is only exploitable if `nodeIntegrationInWorker` is enabled in applications that also open child windows or embed content with differing webPreferences. How to fix Improper Isolation or Compartmentalization? Upgrade `electron` to version 38.8.6, 39.8.4, 40.8.4, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.4>=40.0.0-alpha.2 <40.8.4>=41.0.0-alpha.1 <41.0.0
H Unquoted Search Path or Element electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Unquoted Search Path or Element in the `app.setLoginItemSettings` function on Windows when the executable path is written to the `Run` registry key without proper quoting. An attacker can execute arbitrary code at login by placing a malicious executable in an ancestor directory if the application is installed to a path containing spaces and the attacker has write access to that directory. Note: This is only exploitable if the application is installed in a non-standard location where ancestor directories are not protected against unauthorized writes. How to fix Unquoted Search Path or Element? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.0, 41.0.0-beta.8 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.0>=41.0.0-alpha.1 <41.0.0-beta.8
L Missing Authorization electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Missing Authorization in the `select-usb-device` event callback, which did not validate the chosen device ID against the filtered list presented to the handler. An attacker can gain unauthorized access to USB devices that do not match the intended filters or are listed in exclusion filters by influencing the handler to select a device ID outside the allowed set. Note: This is only exploitable if the application implements unusual device-selection logic that can be manipulated. How to fix Missing Authorization? Upgrade `electron` to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.8
M HTTP Response Splitting electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to HTTP Response Splitting via the `protocol.handle`, `protocol.registerSchemesAsPrivileged`, or `webRequest.onHeadersReceived` functions. An attacker can manipulate HTTP response headers by injecting attacker-controlled input into a response header name or value, potentially allowing the setting of arbitrary headers that affect cookies, content security policy, or cross-origin access controls. Note: This is only exploitable if untrusted external input is reflected into response headers. How to fix HTTP Response Splitting? Upgrade `electron` to version 38.8.6, 39.8.3, 40.8.3, 41.0.3 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.3>=40.0.0-alpha.2 <40.8.3>=41.0.0-alpha.1 <41.0.3
C Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free in the offscreen rendering process when a parent `WebContents` is destroyed while a child window remains open. An attacker can cause memory corruption or application crash by triggering paint frames on the child window that dereference freed memory. Note: This is only exploitable if offscreen rendering is enabled (`webPreferences.offscreen: true`) and the `setWindowOpenHandler` permits child windows. How to fix Use After Free? Upgrade `electron` to version 39.8.1, 40.7.0, 41.0.0 or higher.	<39.8.1>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0
H Insecure Default Initialization of Resource electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Insecure Default Initialization of Resource in the transfer of `VideoFrame` objects via `contextBridge`. An attacker can gain access to the isolated world, including any Node.js APIs exposed to the preload script, by executing JavaScript in the main world and leveraging a bridged `VideoFrame` object. Note: This is only exploitable if a preload script returns, resolves, or passes a `VideoFrame` object to the main world via `contextBridge.exposeInMainWorld()`. How to fix Insecure Default Initialization of Resource? Upgrade `electron` to version 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.	>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.8
H Hidden Functionality electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Hidden Functionality via the `commandLineSwitches` webPreference. An attacker can inject arbitrary command-line switches into the renderer process by supplying untrusted configuration objects, potentially disabling security controls or sandboxing. Note: This is only exploitable if external or untrusted input is used to construct `webPreferences` without an explicit allowlist. How to fix Hidden Functionality? Upgrade `electron` to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.8

Vulnerability

Vulnerable Version

NULL Pointer Dereference

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to NULL Pointer Dereference in the clipboard.readImage() function when processing malformed clipboard image data. An attacker can cause the application to crash by placing invalid image data on the system clipboard and triggering the function.

How to fix NULL Pointer Dereference?

Upgrade electron to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.

<39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5

Exposure of Resource to Wrong Sphere

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere via the window.open() function. An attacker can gain access to or manipulate the browsing context of a window opened by a different renderer by using the same target name, potentially inheriting elevated permissions such as privileged preload scripts or relaxed security settings. This is only exploitable if multiple top-level windows with differing trust levels are opened and setWindowOpenHandler is used to grant elevated webPreferences to child windows.

How to fix Exposure of Resource to Wrong Sphere?

Upgrade electron to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.

<39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the release callback of the paint event, when offscreen rendering with GPU shared textures is enabled. An attacker can cause a crash or memory corruption by invoking the callback after its backing native state has been freed.

Note: This is only exploitable if offscreen rendering is used with webPreferences.offscreen: { useSharedTexture: true } enabled.

How to fix Use After Free?

Upgrade electron to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.

>=33.0.0-alpha.1 <39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5

Origin Validation Error

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Origin Validation Error in the session.setPermissionRequestHandler function. An attacker can gain unauthorized access to permissions such as fullscreen, pointerLock, keyboardLock, openExternal, or media by embedding malicious iframes that exploit the incorrect origin parameter passed to the handler. This may result in third-party content being granted permissions intended only for trusted origins.

Note:

This is only exploitable if the application grants permissions based on the origin parameter or webContents.getURL() rather than details.requestingUrl.

How to fix Origin Validation Error?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0

Command Injection

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Command Injection in the app.moveToApplicationsFolder function on macOS when handling application bundle paths containing certain characters. An attacker can execute arbitrary AppleScript code by crafting a malicious launch path and convincing a user to accept the move-to-Applications prompt.

Note:

This is only exploitable if the application calls app.moveToApplicationsFolder().

How to fix Command Injection?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.0, 41.0.0-beta.8 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.0>=41.0.0-alpha.1 <41.0.0-beta.8

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in the app.setAsDefaultProtocolClient function. An attacker can gain the ability to write to arbitrary registry subkeys by supplying a crafted protocol name derived from untrusted input. This may allow hijacking of existing protocol handlers.

Note:

This is only exploitable if the protocol name passed to app.setAsDefaultProtocolClient is not hardcoded and is instead derived from external or untrusted sources.

How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the powerMonitor function. An attacker can cause memory corruption or application crashes by triggering session-change events on Windows or system shutdown events on macOS after the native object has been garbage-collected, leading to dereferencing of freed memory.

How to fix Use After Free?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.0, 41.0.0-beta.8 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.0>=41.0.0-alpha.1 <41.0.0-beta.8

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the download save dialog callback process. An attacker can cause a crash or memory corruption by triggering session destruction while a native save-file dialog is open and then dismissing the dialog.

Note:

This is only exploitable if the application allows downloads and programmatically destroys sessions at runtime.

How to fix Use After Free?

Upgrade electron to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.7 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.7

Insufficient Verification of Data Authenticity

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the webContents.executeJavaScript function. An attacker can manipulate the main-process promise to resolve with attacker-controlled data by spoofing reply messages on the internal IPC channel.

Note:

This is only exploitable if service workers are registered and the result of webContents.executeJavaScript() or webFrameMain.executeJavaScript() is used in security-sensitive decisions.

How to fix Insufficient Verification of Data Authenticity?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free via the session.setPermissionRequestHandler process. An attacker can cause a crash or memory corruption by triggering a permission request for fullscreen, pointer-lock, or keyboard-lock, and then navigating the requesting frame or closing the window while the permission handler is pending.

Note:

This is only exploitable if an asynchronous permission request handler is registered and invoked while the request is pending.

How to fix Use After Free?

Upgrade electron to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.8

Out-of-bounds Read

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read in the second-instance event handler when parsing a crafted second-instance message via the app.requestSingleInstanceLock process. An attacker can access sensitive memory contents or cause application instability by sending a specially crafted message from another process running as the same user.

Note:

This is only exploitable if the application calls app.requestSingleInstanceLock() and is running on macOS or Linux as the same user.

How to fix Out-of-bounds Read?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0

Improper Isolation or Compartmentalization

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the handling of the nodeIntegrationInWorker configuration in shared renderer processes. An attacker can gain unauthorized access to Node.js integration by exploiting process-sharing scenarios where workers in frames configured with nodeIntegrationInWorker: false still receive Node.js integration.

Note:

This is only exploitable if nodeIntegrationInWorker is enabled in applications that also open child windows or embed content with differing webPreferences.

How to fix Improper Isolation or Compartmentalization?

Upgrade electron to version 38.8.6, 39.8.4, 40.8.4, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.4>=40.0.0-alpha.2 <40.8.4>=41.0.0-alpha.1 <41.0.0

Unquoted Search Path or Element

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Unquoted Search Path or Element in the app.setLoginItemSettings function on Windows when the executable path is written to the Run registry key without proper quoting. An attacker can execute arbitrary code at login by placing a malicious executable in an ancestor directory if the application is installed to a path containing spaces and the attacker has write access to that directory.

Note:

This is only exploitable if the application is installed in a non-standard location where ancestor directories are not protected against unauthorized writes.

How to fix Unquoted Search Path or Element?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.0, 41.0.0-beta.8 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.0>=41.0.0-alpha.1 <41.0.0-beta.8

Missing Authorization

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Missing Authorization in the select-usb-device event callback, which did not validate the chosen device ID against the filtered list presented to the handler. An attacker can gain unauthorized access to USB devices that do not match the intended filters or are listed in exclusion filters by influencing the handler to select a device ID outside the allowed set.

Note:

This is only exploitable if the application implements unusual device-selection logic that can be manipulated.

How to fix Missing Authorization?

Upgrade electron to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.8

HTTP Response Splitting

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to HTTP Response Splitting via the protocol.handle, protocol.registerSchemesAsPrivileged, or webRequest.onHeadersReceived functions. An attacker can manipulate HTTP response headers by injecting attacker-controlled input into a response header name or value, potentially allowing the setting of arbitrary headers that affect cookies, content security policy, or cross-origin access controls.

Note:

This is only exploitable if untrusted external input is reflected into response headers.

How to fix HTTP Response Splitting?

Upgrade electron to version 38.8.6, 39.8.3, 40.8.3, 41.0.3 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.3>=40.0.0-alpha.2 <40.8.3>=41.0.0-alpha.1 <41.0.3

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the offscreen rendering process when a parent WebContents is destroyed while a child window remains open. An attacker can cause memory corruption or application crash by triggering paint frames on the child window that dereference freed memory.

Note:

This is only exploitable if offscreen rendering is enabled (webPreferences.offscreen: true) and the setWindowOpenHandler permits child windows.

How to fix Use After Free?

Upgrade electron to version 39.8.1, 40.7.0, 41.0.0 or higher.

<39.8.1>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0

Insecure Default Initialization of Resource

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Insecure Default Initialization of Resource in the transfer of VideoFrame objects via contextBridge. An attacker can gain access to the isolated world, including any Node.js APIs exposed to the preload script, by executing JavaScript in the main world and leveraging a bridged VideoFrame object.

Note:

This is only exploitable if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld().

How to fix Insecure Default Initialization of Resource?

Upgrade electron to version 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.

>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.8

Hidden Functionality

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Hidden Functionality via the commandLineSwitches webPreference. An attacker can inject arbitrary command-line switches into the renderer process by supplying untrusted configuration objects, potentially disabling security controls or sandboxing.

Note:

This is only exploitable if external or untrusted input is used to construct webPreferences without an explicit allowlist.

How to fix Hidden Functionality?

Upgrade electron to version 38.8.6, 39.8.0, 40.7.0, 41.0.0-beta.8 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.0>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0-beta.8

electron@39.5.1

Build cross platform desktop apps with JavaScript, HTML, and CSS

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically