CVE-2026-34767：electron HTTP响应头注入漏洞，中危

Electron的CVE-2026-34767漏洞影响使用protocol.handle()或protocol.registerSchemesAsPrivileged来处理自定义协议的应用程序，或使用webRequest.onHeadersReceived来修改响应头部的应用程序。如果应用程序将攻击者控制的输入反映到HTTP响应头部的名称或值中，则可能存在HTTP响应头部注入漏洞。这使得攻击者能够注入额外的响应头部，从而可能操纵Cookie、内容安全策略（CSP）或跨源资源共享（CORS）。影响范围可以从会话Cookie的操纵到应用程序行为的改变以及潜在的敏感信息泄露。

Applications built with Electron that register custom protocol handlers or modify response headers are at risk. This includes desktop applications, command-line tools, and web applications packaged as Electron apps. Shared hosting environments where multiple Electron applications share the same server resources are particularly vulnerable, as a compromise in one application could potentially affect others.

• linux / server: Monitor Electron application logs for unusual HTTP response headers. Use ss or lsof to identify processes handling network traffic and correlate with Electron application processes.

lsof -i :80 | grep electron

• generic web: Use curl to inspect HTTP response headers from Electron applications. Look for unexpected or suspicious headers.

curl -I https://example.com/electron-app | grep -i 'header-name:'

1. 2026-04-03Disclosure

   disclosure

1. 已保留2026-03-30
2. 发布日期2026-04-03
3. 修改日期2026-04-06
4. EPSS 更新日期2026-04-11

建议的解决方案是将Electron升级到版本38.8.6或更高版本。此版本包含针对该漏洞的修复。此外，请严格验证和清理用于构建响应头部的任何用户提供的输入。避免将用户控制的数据直接连接到头部名称或值中。实施适当的编码以防止恶意字符注入。对应用程序进行彻底的安全测试，以识别和减轻潜在的攻击向量。