AIKIDO-2026-10702
electron is vulnerable to Origin Validation Error
65
Medium Risk
This Affects:
electronTL;DR
Protocol handlers that registered the Fetch-compatible path with only the fetch surface enabled could still serve cross-origin fetch and XHR requests from untrusted web contexts without the explicit CORS opt-in, and cross-origin no-cors fetches were not consistently treated as opaque. That let remote pages read custom scheme response bodies in situations that should have been CORS- or opacity-gated, undermining the isolation model for those handlers. The loader now enforces the CORS-disabled scheme rule for that configuration and returns opaque bytes for disallowed cross-origin no-cors requests so cross-site code cannot access the scheme payload unless CORS is deliberately enabled.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
electron is vulnerable to Origin Validation Error in versions 25.0.0 - 40.9.2 and 41.0.0 - 41.3.0.
How to fix this
Upgrade the electron library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant