electron 41.0.0-beta.8

Direct Vulnerabilities

Known vulnerabilities in the electron package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L NULL Pointer Dereference electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to NULL Pointer Dereference in the `clipboard.readImage()` function when processing malformed clipboard image data. An attacker can cause the application to crash by placing invalid image data on the system clipboard and triggering the function. How to fix NULL Pointer Dereference? Upgrade `electron` to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.	<39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5
L Exposure of Resource to Wrong Sphere electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere via the `window.open()` function. An attacker can gain access to or manipulate the browsing context of a window opened by a different renderer by using the same target name, potentially inheriting elevated permissions such as privileged preload scripts or relaxed security settings. This is only exploitable if multiple top-level windows with differing trust levels are opened and `setWindowOpenHandler` is used to grant elevated `webPreferences` to child windows. How to fix Exposure of Resource to Wrong Sphere? Upgrade `electron` to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.	<39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5
L Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free in the `release` callback of the `paint` event, when offscreen rendering with GPU shared textures is enabled. An attacker can cause a crash or memory corruption by invoking the callback after its backing native state has been freed. Note: This is only exploitable if offscreen rendering is used with `webPreferences.offscreen: { useSharedTexture: true }` enabled. How to fix Use After Free? Upgrade `electron` to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.	>=33.0.0-alpha.1 <39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5
M Origin Validation Error electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Origin Validation Error in the `session.setPermissionRequestHandler` function. An attacker can gain unauthorized access to permissions such as `fullscreen`, `pointerLock`, `keyboardLock`, `openExternal`, or `media` by embedding malicious iframes that exploit the incorrect origin parameter passed to the handler. This may result in third-party content being granted permissions intended only for trusted origins. Note: This is only exploitable if the application grants permissions based on the origin parameter or `webContents.getURL()` rather than `details.requestingUrl`. How to fix Origin Validation Error? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0
M Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in the `app.setAsDefaultProtocolClient` function. An attacker can gain the ability to write to arbitrary registry subkeys by supplying a crafted protocol name derived from untrusted input. This may allow hijacking of existing protocol handlers. Note: This is only exploitable if the protocol name passed to `app.setAsDefaultProtocolClient` is not hardcoded and is instead derived from external or untrusted sources. How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0
M Insufficient Verification of Data Authenticity electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the `webContents.executeJavaScript` function. An attacker can manipulate the main-process promise to resolve with attacker-controlled data by spoofing reply messages on the internal IPC channel. Note: This is only exploitable if service workers are registered and the result of `webContents.executeJavaScript()` or `webFrameMain.executeJavaScript()` is used in security-sensitive decisions. How to fix Insufficient Verification of Data Authenticity? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0
M Out-of-bounds Read electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Out-of-bounds Read in the `second-instance` event handler when parsing a crafted second-instance message via the `app.requestSingleInstanceLock` process. An attacker can access sensitive memory contents or cause application instability by sending a specially crafted message from another process running as the same user. Note: This is only exploitable if the application calls `app.requestSingleInstanceLock()` and is running on macOS or Linux as the same user. How to fix Out-of-bounds Read? Upgrade `electron` to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0
H Improper Isolation or Compartmentalization electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the handling of the `nodeIntegrationInWorker` configuration in shared renderer processes. An attacker can gain unauthorized access to Node.js integration by exploiting process-sharing scenarios where workers in frames configured with `nodeIntegrationInWorker: false` still receive Node.js integration. Note: This is only exploitable if `nodeIntegrationInWorker` is enabled in applications that also open child windows or embed content with differing webPreferences. How to fix Improper Isolation or Compartmentalization? Upgrade `electron` to version 38.8.6, 39.8.4, 40.8.4, 41.0.0 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.4>=40.0.0-alpha.2 <40.8.4>=41.0.0-alpha.1 <41.0.0
M HTTP Response Splitting electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to HTTP Response Splitting via the `protocol.handle`, `protocol.registerSchemesAsPrivileged`, or `webRequest.onHeadersReceived` functions. An attacker can manipulate HTTP response headers by injecting attacker-controlled input into a response header name or value, potentially allowing the setting of arbitrary headers that affect cookies, content security policy, or cross-origin access controls. Note: This is only exploitable if untrusted external input is reflected into response headers. How to fix HTTP Response Splitting? Upgrade `electron` to version 38.8.6, 39.8.3, 40.8.3, 41.0.3 or higher.	<38.8.6>=39.0.0-alpha.1 <39.8.3>=40.0.0-alpha.2 <40.8.3>=41.0.0-alpha.1 <41.0.3
C Use After Free electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Use After Free in the offscreen rendering process when a parent `WebContents` is destroyed while a child window remains open. An attacker can cause memory corruption or application crash by triggering paint frames on the child window that dereference freed memory. Note: This is only exploitable if offscreen rendering is enabled (`webPreferences.offscreen: true`) and the `setWindowOpenHandler` permits child windows. How to fix Use After Free? Upgrade `electron` to version 39.8.1, 40.7.0, 41.0.0 or higher.	<39.8.1>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0

Vulnerability

Vulnerable Version

NULL Pointer Dereference

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to NULL Pointer Dereference in the clipboard.readImage() function when processing malformed clipboard image data. An attacker can cause the application to crash by placing invalid image data on the system clipboard and triggering the function.

How to fix NULL Pointer Dereference?

Upgrade electron to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.

<39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5

Exposure of Resource to Wrong Sphere

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere via the window.open() function. An attacker can gain access to or manipulate the browsing context of a window opened by a different renderer by using the same target name, potentially inheriting elevated permissions such as privileged preload scripts or relaxed security settings. This is only exploitable if multiple top-level windows with differing trust levels are opened and setWindowOpenHandler is used to grant elevated webPreferences to child windows.

How to fix Exposure of Resource to Wrong Sphere?

Upgrade electron to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.

<39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the release callback of the paint event, when offscreen rendering with GPU shared textures is enabled. An attacker can cause a crash or memory corruption by invoking the callback after its backing native state has been freed.

Note: This is only exploitable if offscreen rendering is used with webPreferences.offscreen: { useSharedTexture: true } enabled.

How to fix Use After Free?

Upgrade electron to version 39.8.5, 40.8.5, 41.1.0, 42.0.0-alpha.5 or higher.

>=33.0.0-alpha.1 <39.8.5>=40.0.0-alpha.2 <40.8.5>=41.0.0-alpha.1 <41.1.0>=42.0.0-alpha.1 <42.0.0-alpha.5

Origin Validation Error

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Origin Validation Error in the session.setPermissionRequestHandler function. An attacker can gain unauthorized access to permissions such as fullscreen, pointerLock, keyboardLock, openExternal, or media by embedding malicious iframes that exploit the incorrect origin parameter passed to the handler. This may result in third-party content being granted permissions intended only for trusted origins.

Note:

This is only exploitable if the application grants permissions based on the origin parameter or webContents.getURL() rather than details.requestingUrl.

How to fix Origin Validation Error?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in the app.setAsDefaultProtocolClient function. An attacker can gain the ability to write to arbitrary registry subkeys by supplying a crafted protocol name derived from untrusted input. This may allow hijacking of existing protocol handlers.

Note:

This is only exploitable if the protocol name passed to app.setAsDefaultProtocolClient is not hardcoded and is instead derived from external or untrusted sources.

How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0

Insufficient Verification of Data Authenticity

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the webContents.executeJavaScript function. An attacker can manipulate the main-process promise to resolve with attacker-controlled data by spoofing reply messages on the internal IPC channel.

Note:

This is only exploitable if service workers are registered and the result of webContents.executeJavaScript() or webFrameMain.executeJavaScript() is used in security-sensitive decisions.

How to fix Insufficient Verification of Data Authenticity?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0

Out-of-bounds Read

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Out-of-bounds Read in the second-instance event handler when parsing a crafted second-instance message via the app.requestSingleInstanceLock process. An attacker can access sensitive memory contents or cause application instability by sending a specially crafted message from another process running as the same user.

Note:

This is only exploitable if the application calls app.requestSingleInstanceLock() and is running on macOS or Linux as the same user.

How to fix Out-of-bounds Read?

Upgrade electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0

Improper Isolation or Compartmentalization

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the handling of the nodeIntegrationInWorker configuration in shared renderer processes. An attacker can gain unauthorized access to Node.js integration by exploiting process-sharing scenarios where workers in frames configured with nodeIntegrationInWorker: false still receive Node.js integration.

Note:

This is only exploitable if nodeIntegrationInWorker is enabled in applications that also open child windows or embed content with differing webPreferences.

How to fix Improper Isolation or Compartmentalization?

Upgrade electron to version 38.8.6, 39.8.4, 40.8.4, 41.0.0 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.4>=40.0.0-alpha.2 <40.8.4>=41.0.0-alpha.1 <41.0.0

HTTP Response Splitting

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to HTTP Response Splitting via the protocol.handle, protocol.registerSchemesAsPrivileged, or webRequest.onHeadersReceived functions. An attacker can manipulate HTTP response headers by injecting attacker-controlled input into a response header name or value, potentially allowing the setting of arbitrary headers that affect cookies, content security policy, or cross-origin access controls.

Note:

This is only exploitable if untrusted external input is reflected into response headers.

How to fix HTTP Response Splitting?

Upgrade electron to version 38.8.6, 39.8.3, 40.8.3, 41.0.3 or higher.

<38.8.6>=39.0.0-alpha.1 <39.8.3>=40.0.0-alpha.2 <40.8.3>=41.0.0-alpha.1 <41.0.3

Use After Free

electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.

Affected versions of this package are vulnerable to Use After Free in the offscreen rendering process when a parent WebContents is destroyed while a child window remains open. An attacker can cause memory corruption or application crash by triggering paint frames on the child window that dereference freed memory.

Note:

This is only exploitable if offscreen rendering is enabled (webPreferences.offscreen: true) and the setWindowOpenHandler permits child windows.

How to fix Use After Free?

Upgrade electron to version 39.8.1, 40.7.0, 41.0.0 or higher.

<39.8.1>=40.0.0-alpha.2 <40.7.0>=41.0.0-alpha.1 <41.0.0

electron@41.0.0-beta.8

Build cross platform desktop apps with JavaScript, HTML, and CSS

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically