Intel

AIKIDO-2026-757462

electron-updater is vulnerable to Path Traversal

Path Traversal Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 24, 2026

59

Medium Risk

This Affects:

JSelectron-updater
6.1.1 - 6.8.7
Fixed in 6.8.8
Are you affected? Scan for Free

TL;DR

The auto-update flow in electron-updater derives the cached update file name from the server-supplied download URL. When the URL path does not end with the expected installer extension, the fallback branch in getCacheUpdateFileName returns the raw URL string without applying path.basename, and the value is joined onto the update cache directory. An attacker who controls the update feed metadata can supply a crafted path that escapes the cache directory and writes the downloaded artifact to an arbitrary filesystem location, which the updater then acts on. The fix applies path.basename to the fallback branch so the cached file name can no longer traverse outside the cache directory.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses the auto-update flow.

Background info

electron-updater is vulnerable to Path Traversal in versions 6.1.1 - 6.8.7.

How to fix this

Upgrade the electron-updater library to the patch version.