electron is vulnerable to Improper Authorization
59
Medium Risk
Electron's ElectronURLLoaderFactory handles custom protocol handlers that return a ProtocolResponse with a url, which triggers an upstream HTTP request. When the response omits ProtocolResponse.session, the upstream request is always issued through the default session instead of the session the protocol handler was registered on. Applications that register handlers on a non-default session therefore have these requests carry the default session's cookies, credentials, cache, and proxy configuration, breaking session isolation and using an unintended authentication context. The fix threads the registering browser context through the URL loader factory so the request defaults to the handler's own session as documented.
You are affected if you are using a version that falls within the vulnerable range and your application registers a custom protocol handler on a non-default session that returns ProtocolResponse.url responses without setting ProtocolResponse.session.
electron is vulnerable to Improper Authorization in versions 7.0.0 - 40.10.5, 41.0.0 - 41.9.0 and 42.0.0 - 42.5.0.
Upgrade the electron library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant