CVE-2025-55305

EPSS 0.27%
Veröffentlicht 04.09.2025 23:05:07
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Electron is vulnerable to Code Injection via resource modification

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions below 35.7.5, 36.0.0-alpha.1 through 36.8.0, 37.0.0-alpha.1 through 37.3.1 and 38.0.0-alpha.1 through 38.0.0-beta.6, ASAR Integrity Bypass via resource modification. This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is fixed in versions 35.7.5, 36.8.1, 37.3.1 and 38.0.0-beta.6.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 12

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerelectron

≫

Produkt electron

Version < 35.7.5

Status affected

Version >= 36.0.0-alpha.1, < 36.8.1

Status affected

Version >= 37.0.0-alpha.1, < 37.3.1

Status affected

Version >= 38.0.0-alpha.1, < 38.0.0-beta.6

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.27%	0.181

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.1	1.3	4.7	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg

https://github.com/electron/electron/pull/48101

https://github.com/electron/electron/pull/48102

https://github.com/electron/electron/pull/48103

https://github.com/electron/electron/pull/48104

https://github.com/electron/electron/commit/23a02934510fcf951428e14573d9b2d2a3c4f28b

https://github.com/electron/electron/commit/2e5a0b7220ebf955c6785cc5adb2e2b1cf77dac1

https://github.com/electron/electron/commit/3f92511cdecc39f46b0e86cce40a0c691e301c9d

https://github.com/electron/electron/commit/fdf29ce83870109d403f5c23ae529dbd0e8f4fee

https://nvd.nist.gov/vuln/detail/CVE-2025-55305

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-55305

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-55305

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-55305