Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions below 35.7.5, 36.0.0-alpha.1 through 36.8.0, 37.0.0-alpha.1 through 37.3.1 and 38.0.0-alpha.1 through 38.0.0-beta.6, ASAR Integrity Bypass via resource modification. This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is fixed in versions 35.7.5, 36.8.1, 37.3.1 and 38.0.0-beta.6.
References (9)
Core 9
Core References
Vendor Advisory x_refsource_confirm
https://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg
Issue Tracking x_refsource_misc
https://github.com/electron/electron/pull/48101
Issue Tracking x_refsource_misc
https://github.com/electron/electron/pull/48102
Issue Tracking x_refsource_misc
https://github.com/electron/electron/pull/48103
Issue Tracking x_refsource_misc
https://github.com/electron/electron/pull/48104
Patch x_refsource_misc
https://github.com/electron/electron/commit/23a02934510fcf951428e14573d9b2d2a3c4f28b
Patch x_refsource_misc
https://github.com/electron/electron/commit/2e5a0b7220ebf955c6785cc5adb2e2b1cf77dac1
Patch x_refsource_misc
https://github.com/electron/electron/commit/3f92511cdecc39f46b0e86cce40a0c691e301c9d
Scores
CVSS v3
6.1
EPSS
0.0027
EPSS Percentile
18.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-829
CWE-94
Status
published
Products (5)
electron/electron
< 35.7.5
electron/electron
>= 36.0.0-alpha.1, < 36.8.1
electron/electron
>= 37.0.0-alpha.1, < 37.3.1
electron/electron
>= 38.0.0-alpha.1, < 38.0.0-beta.6
npm/electron
0 - 35.7.5npm
Published
Sep 04, 2025
Tracked Since
Feb 18, 2026