AIKIDO-2026-10953
electron is vulnerable to Insufficient policy enforcement
54
Medium Risk
This Affects:
electronTL;DR
Electron enables AllowUniversalAccessFromFileURLs for renderers by default through the grant_file_protocol_extra_privileges fuse. In affected builds, Blink treated that preference as unconditional when assigning window agents, so http:, https:, and custom-scheme documents were routed to the universal-access agent instead of keeping their browser-provided AgentClusterKey. After Chromium moved cross-origin isolation state to the per-context agent cluster key, those pages no longer became cross-origin isolated even with correct COOP and COEP headers, breaking isolation-dependent capabilities such as SharedArrayBuffer. The patch constrains universal file access routing to file: origins only and restores expected agent assignment for other schemes.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
electron is vulnerable to Insufficient policy enforcement in versions 41.0.0 - 41.5.0.
How to fix this
Upgrade the electron library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant