AIKIDO-2026-10379
electron is vulnerable to Improper Input Validation
54
Medium Risk
This Affects:
electronTL;DR
Affected versions of this package are affected by an improper input validation vulnerability in app.setAsDefaultProtocolClient on Windows. The implementation does not validate the supplied protocol name before incorporating it into a Windows Registry path under HKCU\Software\Classes. By including path separator characters such as backslashes in the protocol value, an attacker may write to unintended registry subkeys, potentially overwriting or hijacking existing protocol handlers. This could result in unexpected application behavior or execution of attacker-controlled programs when affected protocols are invoked. The issue is addressed by validating protocol names against the RFC 3986 scheme grammar before using them in registry paths.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and you are using Windows.
Background info
electron is vulnerable to Improper Input Validation in versions 40.0.0 - 40.8.0, 39.0.0 - 39.8.0 and 38.0.0 - 38.8.5.
How to fix this
Upgrade the electron library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant