AIKIDO-2025-10340
electron is vulnerable to Insufficient policy enforcement
65
Medium Risk
This Affects:
electronTL;DR
This vulnerability in Chromium's Mojo inter-process communication (IPC) system could allow an untrusted process to leak handles by reflecting a broker-initiated transport back to the broker. If an attacker-controlled (untrusted) node receives a transport from a broker (a privileged process managing handle sharing), it could maliciously reflect it back. When the broker later deserializes another transport containing handles using the reflected transport, handle leaks occur—potentially exposing sensitive resources or enabling privilege escalation.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
electron is vulnerable to Insufficient policy enforcement in versions 34.0.0 - 34.5.6 and 35.0.0 - 35.4.0.
How to fix this
Upgrade the electron library to the patch version.
Links
github.com/electron/electron/blob/80df048c7f67fa3b87603f39c5c0b41b673985a1/patches/chromium/cherry-pick-295a4a1b14b8.patch
chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.htmlissues.chromium.org/issues/412578726
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant