-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from improper validation of ASAR file integrity. The GitHub PR #39788 fix explicitly addresses this by ensuring loaded files are actual ASAR archives, not just files with .asar extensions. The ElectronMain function in electron_main.cc is the entry point for app initialization and ASAR handling. The vulnerability occurred because this function (or its dependencies) checked the file path extension but not the file's actual content structure. The fix adds validation of the ASAR magic bytes, indicating the original code lacked this critical check. This matches the CWE-345 (Insufficient Verification of Data Authenticity) classification in the advisory.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| electron | npm | < 22.3.24 | 22.3.24 |
| electron | npm | >= 24.0.0-alpha.1, < 24.8.3 | 24.8.3 |
| electron | npm |
| >= 25.0.0-alpha.1, < 25.8.1 |
| 25.8.1 |
| electron | npm | >= 26.0.0-alpha.1, < 26.2.1 | 26.2.1 |
| electron | npm | >= 27.0.0-alpha.1, < 27.0.0-alpha.7 | 27.0.0-alpha.7 |
| electron | npm | >= 23.0.0-alpha.1, <= 23.3.13 |
JavaScriptJavaScriptKEV Misses 88% of Exploited CVEs- Get the report