CVE-2026-34773: Electron Protocol Handler Hijacking on Windows
Plattform
nodejs
Komponente
electron
Behoben in
38.8.6
CVE-2026-34773 describes a protocol handler hijacking vulnerability affecting Electron applications on Windows. Specifically, the `app.setAsDefaultProtocolClient()` function did not properly validate the protocol name before writing to the registry, potentially allowing attackers to hijack existing protocol handlers if the application uses untrusted input. This impacts Electron versions up to and including 38.8.6. To mitigate this, validate the protocol name against `/^[a-zA-Z][a-zA-Z0-9+.-]*$/` before calling the function.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is CVE-2026-34773?
CVE-2026-34773 is a medium severity vulnerability in Electron on Windows that allows attackers to potentially hijack protocol handlers by exploiting insufficient validation in the `app.setAsDefaultProtocolClient()` function.
Am I affected by CVE-2026-34773?
You are affected if your Electron application on Windows uses `app.setAsDefaultProtocolClient()` with a protocol name derived from external or untrusted input and is running version 38.8.6 or earlier.
How do I fix or mitigate CVE-2026-34773?
To mitigate CVE-2026-34773, validate the protocol name against the regular expression `/^[a-zA-Z][a-zA-Z0-9+.-]*$/` before calling `app.setAsDefaultProtocolClient()`.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten