CVE-2026-34777: Electron Origin Spoofing Vulnerability (≤38.8.6)
Plattform
nodejs
Komponente
electron
Behoben in
38.8.6
CVE-2026-34777 describes an origin spoofing vulnerability within the Electron framework. This flaw allows embedded iframes to potentially gain elevated permissions by misrepresenting their origin during permission requests, impacting applications that rely on origin validation for security. This affects Electron versions up to and including 38.8.6. Currently, there is no official patch available; however, developers can mitigate the risk by validating the `details.requestingUrl` parameter.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is CVE-2026-34777?
CVE-2026-34777 is an origin spoofing vulnerability in Electron where iframes can misrepresent their origin when requesting permissions, potentially gaining unauthorized access.
Am I affected by CVE-2026-34777?
You are potentially affected if you are using Electron version 38.8.6 or earlier and your application grants permissions based solely on the origin parameter or `webContents.getURL()`.
How can I fix or mitigate CVE-2026-34777?
There is no official patch available. Mitigate the vulnerability by validating the `details.requestingUrl` parameter in your `setPermissionRequestHandler()` to ensure the requesting URL matches the expected origin.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten