[Cycode] Fix for vulnerable manifest file dependency - electron updated to version 22.0.0-alpha.1#277
Conversation
…ed to version 22.0.0-alpha.1
![cycode-security-eu[bot]](https://avatars.githubusercontent.com/in/242055?s=60&v=4){kind=small}
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerabilities found in newly introduced dependency.
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
The following vulnerabilities were introduced:
| GHSA | CVE | Severity | Fixed Version |
|---|---|---|---|
| GHSA-f3pv-wv63-48x8 | CVE-2026-34765 | MEDIUM | 39.8.5 |
| GHSA-5rqw-r77c-jp79 | CVE-2026-34779 | MEDIUM | 38.8.6 |
| GHSA-xj5x-m3f3-5x3h | CVE-2026-34778 | MEDIUM | 38.8.6 |
| GHSA-r5p7-gp4j-qhrx | CVE-2026-34777 | MEDIUM | 38.8.6 |
| GHSA-3c8v-cfp5-9885 | CVE-2026-34776 | MEDIUM | 38.8.6 |
| GHSA-xwr5-m59h-vwqr | CVE-2026-34775 | MEDIUM | 38.8.6 |
| GHSA-532v-xpq5-8h95 | CVE-2026-34774 | HIGH | 39.8.1 |
| GHSA-mwmh-mq4g-g6gr | CVE-2026-34773 | MEDIUM | 38.8.6 |
| GHSA-9w97-2464-8783 | CVE-2026-34772 | MEDIUM | 38.8.6 |
| GHSA-8337-3p73-46f4 | CVE-2026-34771 | HIGH | 38.8.6 |
| GHSA-jjp3-mq3x-295m | CVE-2026-34770 | HIGH | 38.8.6 |
| GHSA-9wfr-w7mm-pc7f | CVE-2026-34769 | HIGH | 38.8.6 |
| GHSA-4p4r-m79c-wq3v | CVE-2026-34767 | MEDIUM | 38.8.6 |
| GHSA-vmqv-hx8q-j7mg | CVE-2025-55305 | MEDIUM | 35.7.5 |
| GHSA-6r2x-8pq8-9489 | CVE-2024-46993 | MEDIUM | 28.3.2 |
Highest fixed version: 39.8.5
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
![cycode-security[bot]](https://avatars.githubusercontent.com/in/39308?s=60&v=4){kind=small}
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | Medium |
| Issue | Electron: Named window.open targets not scoped to the opener's browsing context: CVE-2026-34765 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 39.8.5 |
Impact
When a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions.
Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected.
Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution.
Workarounds
Deny window.open() in renderers that load untrusted content by returning { action: 'deny' } from setWindowOpenHandler. Avoid granting child windows more permissive webPreferences than their opener.
Fixed Versions
42.0.0-alpha.541.1.040.8.539.8.5
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | Medium |
| Issue | Electron: AppleScript injection in app.moveToApplicationsFolder on macOS: CVE-2026-34779 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 38.8.6 |
Impact
On macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt.
Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected.
Workarounds
There are no app side workarounds, developers must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.840.8.039.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | Medium |
| Issue | Electron: Service worker can spoof executeJavaScript IPC replies: CVE-2026-34778 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 38.8.6 |
Impact
A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data.
Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions.
Workarounds
Do not trust the return value of webContents.executeJavaScript() for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.
Fixed Versions
41.0.040.8.139.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | Medium |
| Issue | Electron: Incorrect origin passed to permission request handler for iframe requests: CVE-2026-34777 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 38.8.6 |
Impact
When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content.
The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected.
Workarounds
In your setPermissionRequestHandler, inspect details.requestingUrl rather than the origin parameter or webContents.getURL() when deciding whether to grant fullscreen, pointerLock, keyboardLock, openExternal, or media permissions.
Fixed Versions
41.0.040.8.139.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | Medium |
| Issue | Electron: Out-of-bounds read in second-instance IPC on macOS and Linux: CVE-2026-34776 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 38.8.6 |
Impact
On macOS and Linux, apps that call app.requestSingleInstanceLock() were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler.
This issue is limited to processes running as the same user as the Electron app.
Apps that do not call app.requestSingleInstanceLock() are not affected. Windows is not affected by this issue.
Workarounds
There are no app side workarounds, developers must update to a patched version of Electron.
Fixed Versions
41.0.040.8.139.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | Medium |
| Issue | Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes: CVE-2026-34775 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 38.8.6 |
Impact
The nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration.
Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected.
Workarounds
Avoid enabling nodeIntegrationInWorker in apps that also open child windows or embed content with differing webPreferences.
Fixed Versions
41.0.040.8.439.8.438.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | High |
| Issue | Electron: Use-after-free in offscreen child window paint callback: CVE-2026-34774 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 39.8.1 |
Impact
Apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption.
Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected.
Workarounds
Deny child window creation from offscreen renderers in your setWindowOpenHandler, or ensure child windows are closed before the parent is destroyed.
Fixed Versions
41.0.040.7.039.8.1
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | Medium |
| Issue | Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows: CVE-2026-34773 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 38.8.6 |
Impact
On Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers.
Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.
Workarounds
Validate the protocol name matches /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().
Fixed Versions
41.0.040.8.139.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | Medium |
| Issue | Electron: Use-after-free in download save dialog callback: CVE-2026-34772 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 38.8.6 |
Impact
Apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption.
Apps that do not destroy sessions at runtime, or that do not permit downloads, are not affected.
Workarounds
Avoid destroying sessions while a download save dialog may be open. Cancel pending downloads before session teardown.
Fixed Versions
41.0.0-beta.740.7.039.8.038.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | High |
| Issue | Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks: CVE-2026-34771 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 38.8.6 |
Impact
Apps that register an asynchronous session.setPermissionRequestHandler() may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback dereferences freed memory, which may lead to a crash or memory corruption.
Apps that do not set a permission request handler, or whose handler responds synchronously, are not affected.
Workarounds
Respond to permission requests synchronously, or deny fullscreen, pointer-lock, and keyboard-lock requests if an asynchronous flow is required.
Fixed Versions
41.0.0-beta.840.7.039.8.038.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | High |
| Issue | Electron: Use-after-free in PowerMonitor on Windows and macOS: CVE-2026-34770 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 38.8.6 |
Impact
Apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.
All apps that access powerMonitor events (suspend, resume, lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable.
Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.840.8.039.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | High |
| Issue | Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference: CVE-2026-34769 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 38.8.6 |
Impact
An undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.
Apps are only affected if they construct webPreferences from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded webPreferences object are not affected.
Workarounds
Do not spread untrusted input into webPreferences. Use an explicit allowlist of permitted preference keys when constructing BrowserWindow or webContents options from external configuration.
Fixed Versions
41.0.0-beta.840.7.039.8.038.8.6
For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | Medium |
| Issue | Electron: HTTP Response Header Injection in custom protocol handlers and webRequest: CVE-2026-34767 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 38.8.6 |
Impact
Apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.
An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.
Apps that do not reflect external input into response headers are not affected.
Workarounds
Validate or sanitize any untrusted input before including it in a response header name or value.
Fixed Versions
41.0.340.8.339.8.338.8.6
For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | Medium |
| Issue | Electron has ASAR Integrity Bypass via resource modification: CVE-2025-55305 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 35.7.5 |
Impact
This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted.
Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.
Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
38.0.0-beta.637.3.136.8.135.7.5
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
| "resolved": "https://registry.npmjs.org/duplexer3/-/duplexer3-0.1.4.tgz", | ||
| "integrity": "sha1-7gHdHKwO08vH/b6jfcCo8c4ALOI=", | ||
| "dev": true | ||
| "node_modules/electron": { |
There was a problem hiding this comment.
❗Cycode: Security vulnerability found in newly introduced dependency.
| Severity | Medium |
| Issue | Electron vulnerable to Heap Buffer Overflow in NativeImage: CVE-2024-46993 |
| Ecosystem | NPM |
| Dependency | electron |
| Dependency Paths | electron 22.3.27 |
| Direct Dependency | Yes |
| Development Dependency | Yes |
| Upgrade | 28.3.2 |
Impact
The nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents.
Workaround
There are no app-side workarounds for this issue. You must update your Electron version to be protected.
Patches
v28.3.2v29.3.3v30.0.3
For More Information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Description
Detects when new vulnerabilities affect your dependencies.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_manifest_here <reason> | Applies to this manifest in this request only |
| #cycode_ignore_package_everywhere <reason> | Applies to this manifest for this package for all requests in your repository |
| #cycode_ignore_package_here <reason> | Applies to this manifest for this package in this request only |
| #cycode_vulnerable_package_fix_this_violation | Fix this violation via a commit to this branch |
Cycode Vulnerable Dependencies Update
This pull request updates the following manifest file:
gitea/repositories/mock-turtle/examples/09 - Eelectron-quick-start/package.json📂 gitea/repositories/mock-turtle/examples/09 - Eelectron-quick-start/package.json
1 package will be updated to resolve vulnerabilities:
electronImportant
This pull request updates the major version for one or more packages. Make sure changes are tested before merging.