Skip to content

Update dependency electron to v22 [SECURITY]#268

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-electron-vulnerability
Open

Update dependency electron to v22 [SECURITY]#268
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-electron-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Aug 14, 2025

Copy link
Copy Markdown

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
electron 9.0.522.3.25 age confidence

Unpreventable top-level navigation

CVE-2020-15174 / GHSA-2q4g-w47c-4674

More information

Details

Impact

The will-navigate event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites.

Patches
  • 11.0.0-beta.1
  • 10.0.1
  • 9.3.0
  • 8.5.1
Workarounds

Sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.

For more information

If you have any questions or comments about this advisory:

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Context isolation bypass in Electron

CVE-2020-15215 / GHSA-56pc-6jqp-xqj8

More information

Details

Impact

Apps using both contextIsolation and sandbox: true are affected.
Apps using both contextIsolation and nativeWindowOpen: true are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions
  • 11.0.0-beta.6
  • 10.1.2
  • 9.3.1
  • 8.5.2
For more information

If you have any questions or comments about this advisory:

Severity

  • CVSS Score: 5.6 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


IPC messages delivered to the wrong frame in Electron

CVE-2020-26272 / GHSA-hvf8-h2qh-37m9

More information

Details

Impact

IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame.

If your app does ANY of the following, then it is impacted by this issue:

  • Uses remote
  • Calls webContents.sendToFrame
  • Calls event.reply in an IPC message handler
Patches

This has been fixed in the following versions:

  • 9.4.0
  • 10.2.0
  • 11.1.0
  • 12.0.0-beta.9
Workarounds

There are no workarounds for this issue.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API

CVE-2021-39184 / GHSA-mpjm-v997-c4h4

More information

Details

Impact

This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.

All current stable versions of Electron are affected.

Patches

This was fixed with #​30728, and the following Electron versions contain the fix:

  • 15.0.0-alpha.10
  • 14.0.0
  • 13.3.0
  • 12.1.0
  • 11.5.0
Workarounds

If your app enables contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.

Further, if your app does not depend on the createThumbnailFromPath API, then you can simply disable the functionality. In the main process, before the 'ready' event:

delete require('electron').nativeImage.createThumbnailFromPath
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Renderers can obtain access to random bluetooth device without permission in Electron

CVE-2022-21718 / GHSA-3p22-ghq8-v749

More information

Details

Impact

This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

Patches

This has been patched and the following Electron versions contain the fix:

  • 17.0.0-alpha.6
  • 16.0.6
  • 15.3.5
  • 14.2.4
  • 13.6.6
Workarounds

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.

Severity

  • CVSS Score: 3.4 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled

CVE-2022-29247 / GHSA-mq8j-3h7h-p8g7

More information

Details

Impact

This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer.

Please note the misleadingly named nodeIntegrationInSubFrames option does not implicitly grant Node.js access rather it depends on the existing sandbox setting. If your application is sandboxed then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs (which includes ipcRenderer).

If your application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.6
  • 15.5.5
Workarounds

Ensure that all IPC message handlers appropriately validate senderFrame as per our security tutorial here.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Severity

  • CVSS Score: 2.2 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


AutoUpdater module fails to validate certain nested components of the bundle

CVE-2022-29257 / GHSA-77xc-hjv8-ww97

More information

Details

Impact

This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.

Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.0
  • 15.5.0
Workarounds

There are no workarounds for this issue, please update to a patched version of Electron.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Exfiltration of hashed SMB credentials on Windows via file:// redirect

CVE-2022-36077 / GHSA-p2jh-44qj-pf2v

More information

Details

Impact

When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.

Patches

This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:

  • 21.0.0-beta.1
  • 20.0.1
  • 19.0.11
  • 18.3.7

We recommend all apps upgrade to the latest stable version of Electron.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents:

app.on('web-contents-created', (e, webContents) => {
  webContents.on('will-redirect', (e, url) => {
    if (/^file:/.test(url)) e.preventDefault()
  })
})
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Credit

Thanks to user @​coolcoolnoworries for reporting this issue.

Severity

  • CVSS Score: 5.4 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Electron vulnerable to out-of-package code execution when launched with arbitrary cwd

CVE-2023-39956 / GHSA-7x97-j373-85x5

More information

Details

Impact

Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help

Specifically this issue can only be exploited if the following conditions are met:

  • Your app is launched with an attacker-controlled working directory
  • The attacker has the ability to write files to that working directory

This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions
  • 26.0.0-beta.13
  • 25.5.0
  • 24.7.1
  • 23.3.13
  • 22.3.19
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Electron affected by libvpx's heap buffer overflow in vp8 encoding

CVE-2023-5217 / GHSA-qqvq-6xgj-jw8g

More information

Details

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


ASAR Integrity bypass via filetype confusion in electron

CVE-2023-44402 / GHSA-7m48-wc93-9g85

More information

Details

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions
  • 27.0.0-alpha.7
  • 26.2.1
  • 25.8.1
  • 24.8.3
  • 22.3.24
For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

electron/electron (electron)

v22.3.25: electron v22.3.25

Compare Source

Release Notes for v22.3.25

Other Changes

v22.3.24: electron v22.3.24

Compare Source

Release Notes for v22.3.24

Other Changes

v22.3.23: electron v22.3.23

Compare Source

Release Notes for v22.3.23

Other Changes

v22.3.22: electron v22.3.22

Compare Source

Release Notes for v22.3.22

Fixes

Other Changes

v22.3.21: electron v22.3.21

Compare Source

Release Notes for v22.3.21

Fixes

  • Fixed unnecessary package.json check on built-in modules. #​39425

Other Changes

v22.3.18: electron v22.3.18

Compare Source

Release Notes for v22.3.18

Other Changes

v22.3.17: electron v22.3.17

Compare Source

Release Notes for v22.3.17

Other Changes

v22.3.16: electron v22.3.16

Compare Source

Release Notes for v22.3.16

Other Changes

v22.3.15: electron v22.3.15

Compare Source

Release Notes for v22.3.15

Other Changes

v22.3.14: electron v22.3.14

Compare Source

Release Notes for v22.3.14

Other Changes

v22.3.13: electron v22.3.13

Compare Source

Release Notes for v22.3.13

Other Changes

v22.3.12: electron v22.3.12

Compare Source

Release Notes for v22.3.12

Other Changes

v22.3.11: electron v22.3.11

Compare Source

Release Notes for v22.3.11

Other Changes

v22.3.10: electron v22.3.10

Compare Source

Release Notes for v22.3.10

Other Changes

v22.3.9: electron v22.3.9

Compare Source

Release Notes for v22.3.9

Other Changes

  • Fixed drag-and-drop crash on Wayland. #​38199

v22.3.8: electron v22.3.8

Compare Source

Release Notes for v22.3.8

Fixes

  • Fixed crash when executing eval in the utility process. #​38156 (Also in 23, 24, 25)

v22.3.7: electron v22.3.7

Compare Source

Release Notes for v22.3.7

Fixes

  • Fixed an issue which made defaultFontFamily in webPreferences have no effect. #​37970 (Also in 23, 24, 25)
  • Fixed broken defaults in shell.openExternal() options. #​38092 (Also in 23, 24, 25)
  • Fixed the active background color for top-level menu items on Windows. #​37991 (Also in 23, 24)

Other Changes

v22.3.6: electron v22.3.6

Compare Source

Release Notes for v22.3.6

Fixes

  • Fixed recommended node-gyp version in node.h error. #​37942 (Also in 23, 24, 25)
  • Security: Fixed an issue with Content-Security-Policy not being correctly enforced when sandbox: false and contextIsolation: false. (CVE-2023-23623). #​37843 (Also in 24)

Other Changes

v22.3.5: electron v22.3.5

Compare Source

Release Notes for v22.3.5

Fixes

  • Fixed an issue where calling port.postMessage in MessagePortMain with some invalid parameters could cause a crash. #​37725 (Also in 23, 24)
  • Fixed canceling of bluetooth requests when no devices are returned. #​37739 (Also in 23, 24)

Other Changes

v22.3.4: electron v22.3.4

Compare Source

Release Notes for v22.3.4

Fixes

  • Fixed an issue with potential dock icon duplication on macOS. #​37623 (Also in 23, 24)
  • Fixed issue with BrowserWindow not updating after call to previewFile. #​37576 (Also in 23, 24)
  • Improved error messages on session.cookies.set failure. #​37595 (Also in 23, 24)

Other Changes

v22.3.3: electron v22.3.3

Compare Source

Release Notes for v22.3.3

Fixes

  • Fixed an issue where unhandled rejections could cause duplicate logs in some cases. #​37502 (Also in 23, 24)

Other Changes

v22.3.2: electron v22.3.2

Compare Source

Release Notes for v22.3.2

Fixes

  • Fixed an issue where minWidth/minHeight and maxWidth/maxHeight would not be enforced if the user set an aspectRatio on macOS. #​37458 (Also in 23, 24)
  • Fixed an issue where passing both hasReply and actions to a main process Notification on macOS resulted in the first action being obscured and unavailable. #​37447 (Also in 23, 24)
  • Fixed window could not go back to maximized state when restored on Linux. #​37360 (Also in 23, 24)

Other Changes

  • Improved error messages for contents.takeHeapSnapshot. #​37459 (Also in 23, 24)

v22.3.1: electron v22.3.1

Compare Source

Release Notes for v22.3.1

Other Changes

  • Security: backported fix for chromium:1408392. #​37298

Documentation

v22.3.0: electron v22.3.0

Compare Source

Release Notes for v22.3.0

Features

  • Added several standard page size options to webContents.print(). #​37263 (Also in 23, 24)

Fixes

  • Fixed a crash when BrowserViews are present and a user attempts to prevent beforeunload in the renderer process. #​37266 (Also in 23, 24)
  • Fixed an incorrect result returned when using secure as a cookies filter. #​37247 (Also in 24)

Other Changes

v22.2.1: electron v22.2.1

Compare Source

Release Notes for v22.2.1

Features

  • Whole-program optimization is enabled by default in electron node headers config file. #​37047 (Also in 21, 23)

Fixes

  • Basic accessibility support is now enabled when macOS Voice Control is activated to allow for full voice control of Electron applications. #​37146 (Also in 21, 23)
  • Fixed audio worklet scripts failing to run when nodeIntegrationInWorker: true. #​37102 (Also in 23)

Documentation

v22.2.0: electron v22.2.0

Compare Source

Release Notes for v22.0.0

Stack Upgrades

Note

PR body was truncated to here.

@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from a9b3bd6 to 594634b Compare August 19, 2025 18:49
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from 594634b to 163566c Compare September 4, 2025 03:57
@renovate renovate Bot changed the title Update dependency electron to v28 [SECURITY] Update dependency electron to v35 [SECURITY] Sep 4, 2025
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from 163566c to eab6f41 Compare September 25, 2025 21:22
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from eab6f41 to 76e36bc Compare October 15, 2025 22:14
@renovate renovate Bot changed the title Update dependency electron to v35 [SECURITY] Update dependency electron to v18 [SECURITY] Oct 15, 2025
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from 76e36bc to de8ac9a Compare February 4, 2026 04:53
@renovate renovate Bot changed the title Update dependency electron to v18 [SECURITY] Update dependency electron to v22 [SECURITY] Feb 4, 2026
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from de8ac9a to e0e93bf Compare February 5, 2026 01:03
@renovate renovate Bot changed the title Update dependency electron to v22 [SECURITY] Update dependency electron to v22 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-electron-vulnerability branch March 27, 2026 00:53
@renovate renovate Bot changed the title Update dependency electron to v22 [SECURITY] - autoclosed Update dependency electron to v22 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-electron-vulnerability branch from e0e93bf to 2c52b49 Compare March 30, 2026 17:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants