CVE-2026-34778: Electron IPC Spoofing Vulnerability (<=38.8.6)
Plattform
nodejs
Komponente
electron
Behoben in
38.8.6
CVE-2026-34778 describes an IPC spoofing vulnerability in Electron. A service worker can spoof reply messages on the internal IPC channel, potentially causing the main process promise to resolve with attacker-controlled data. This impacts applications that rely on the result of `webContents.executeJavaScript()` for security decisions. The vulnerability affects Electron versions ≤38.8.6. Currently, there is no official patch available.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is CVE-2026-34778?
CVE-2026-34778 is an IPC spoofing vulnerability in Electron that allows a service worker to spoof reply messages, potentially leading to the execution of attacker-controlled data.
Am I affected by CVE-2026-34778?
You are affected if you are using Electron version ≤38.8.6 and your application uses service workers and relies on the return value of `webContents.executeJavaScript()` for security-sensitive decisions.
How can I fix or mitigate CVE-2026-34778?
Currently, there is no official patch available. As a workaround, do not trust the return value of `webContents.executeJavaScript()` for security decisions. Use dedicated, validated IPC channels for security-relevant tasks.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten