github - ghsa-xw5q-g62x-2qjc

GHSA-XW5Q-G62X-2QJC

Vulnerability from github – Published: 2025-06-30 17:54 – Updated: 2025-07-01 13:13

Summary

electron ASAR Integrity bypass by just modifying the content

Details

electron's ASAR Integrity can be bypass by modifying the content.

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to Windows, apps using these fuses on macOS are unimpacted.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

30.0.5
31.0.0-beta.1

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Severity ?

7.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "30.0.0-alpha.1"
            },
            {
              "fixed": "30.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "31.0.0-alpha.1"
            },
            {
              "fixed": "31.0.0-beta.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-46992"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-354"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-30T17:54:11Z",
    "nvd_published_at": "2025-07-01T02:15:20Z",
    "severity": "HIGH"
  },
  "details": "electron\u0027s ASAR Integrity can be bypass by modifying the content.\n\n### Impact\nThis only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to Windows, apps using these fuses on macOS are unimpacted.\n\nSpecifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against.\n\n### Workarounds\nThere are no app side workarounds, you must update to a patched version of Electron.\n\n### Fixed Versions\n* `30.0.5`\n* `31.0.0-beta.1`\n\n### For more information\nIf you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)",
  "id": "GHSA-xw5q-g62x-2qjc",
  "modified": "2025-07-01T13:13:18Z",
  "published": "2025-06-30T17:54:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/security/advisories/GHSA-xw5q-g62x-2qjc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-46992"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/electron/electron"
    },
    {
      "type": "WEB",
      "url": "https://www.electronjs.org/docs/latest/tutorial/fuses"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "electron ASAR Integrity bypass by just modifying the content"
}

CVE-2024-46992 (GCVE-0-2024-46992)

Vulnerability from cvelistv5 – Published: 2025-07-01 01:43 – Updated: 2025-07-01 14:33

Title

Electron ASAR Integrity bypass by just modifying the content

Summary

Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 30.0.0-alpha.1 to before 30.0.5 and 31.0.0-alpha.1 to before 31.0.0-beta.1, Electron is vulnerable to an ASAR Integrity bypass. This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to Windows, apps using these fuses on macOS are not impacted. Specifically this issue can only be exploited if the app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against. This issue has been patched in versions 30.0.5 and 31.0.0-beta.1. There are no workarounds for this issue.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-354 - Improper Validation of Integrity Check Value

Assigner

GitHub_M

References

URL

Tags

	https://github.com/electron/electron/security/adv…	x_refsource_CONFIRM
	https://www.electronjs.org/docs/latest/tutorial/fuses	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	electron	electron	Affected: >= 30.0.0-alpha.1, < 30.0.5 Affected: >= 31.0.0-alpha.1, < 31.0.0-beta.1

Show details on NVD website