CVE-2025-55305

MEDIUM

Electron <38.0.0-beta.6 - ASAR Integrity Bypass

Title source: llm

Description

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions below 35.7.5, 36.0.0-alpha.1 through 36.8.0, 37.0.0-alpha.1 through 37.3.1 and 38.0.0-alpha.1 through 38.0.0-beta.6, ASAR Integrity Bypass via resource modification. This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is fixed in versions 35.7.5, 36.8.1, 37.3.1 and 38.0.0-beta.6.

References (9)

[Vendor Advisory] https://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg

[Issue Tracking] https://github.com/electron/electron/pull/48101

[Issue Tracking] https://github.com/electron/electron/pull/48102

[Issue Tracking] https://github.com/electron/electron/pull/48103

[Issue Tracking] https://github.com/electron/electron/pull/48104

[Patch] https://github.com/electron/electron/commit/23a02934510fcf951428e14573d9b2d2a3c4f28b

[Patch] https://github.com/electron/electron/commit/2e5a0b7220ebf955c6785cc5adb2e2b1cf77dac1

[Patch] https://github.com/electron/electron/commit/3f92511cdecc39f46b0e86cce40a0c691e301c9d

[Patch] https://github.com/electron/electron/commit/fdf29ce83870109d403f5c23ae529dbd0e8f4fee

View Patch ZIP pw:eip

Scores

CVSS v3 6.1

EPSS 0.0001

EPSS Percentile 0.4%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-829 CWE-94

Status published

Products (5)

electron/electron < 35.7.5

electron/electron >= 36.0.0-alpha.1, < 36.8.1

electron/electron >= 37.0.0-alpha.1, < 37.3.1

electron/electron >= 38.0.0-alpha.1, < 38.0.0-beta.6

npm/electron 0 - 35.7.5npm

Published Sep 04, 2025

Tracked Since Feb 18, 2026