Skip to content

Update dependency electron to v28 [SECURITY] #268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency electron to v28 [SECURITY] #268

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Aug 14, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
electron 9.0.5 -> 28.3.2 age confidence

GitHub Vulnerability Alerts

CVE-2020-15174

Impact

The will-navigate event that apps use to prevent navigations to unexpected destinations as per our security recommendations can be bypassed when a sub-frame performs a top-frame navigation across sites.

Patches

  • 11.0.0-beta.1
  • 10.0.1
  • 9.3.0
  • 8.5.1

Workarounds

Sandbox all your iframes using the sandbox attribute. This will prevent them creating top-frame navigations and is good practice anyway.

For more information

If you have any questions or comments about this advisory:

CVE-2020-15215

Impact

Apps using both contextIsolation and sandbox: true are affected.
Apps using both contextIsolation and nativeWindowOpen: true are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 11.0.0-beta.6
  • 10.1.2
  • 9.3.1
  • 8.5.2

For more information

If you have any questions or comments about this advisory:

CVE-2020-26272

Impact

IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame.

If your app does ANY of the following, then it is impacted by this issue:

  • Uses remote
  • Calls webContents.sendToFrame
  • Calls event.reply in an IPC message handler

Patches

This has been fixed in the following versions:

  • 9.4.0
  • 10.2.0
  • 11.1.0
  • 12.0.0-beta.9

Workarounds

There are no workarounds for this issue.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

CVE-2021-39184

Impact

This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.

All current stable versions of Electron are affected.

Patches

This was fixed with #​30728, and the following Electron versions contain the fix:

  • 15.0.0-alpha.10
  • 14.0.0
  • 13.3.0
  • 12.1.0
  • 11.5.0

Workarounds

If your app enables contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.

Further, if your app does not depend on the createThumbnailFromPath API, then you can simply disable the functionality. In the main process, before the 'ready' event:

delete require('electron').nativeImage.createThumbnailFromPath

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

CVE-2022-21718

Impact

This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device.

All current stable versions of Electron are affected.

Patches

This has been patched and the following Electron versions contain the fix:

  • 17.0.0-alpha.6
  • 16.0.6
  • 15.3.5
  • 14.2.4
  • 13.6.6

Workarounds

Adding this code to your app can workaround the issue.

app.on('web-contents-created', (event, webContents) => {
  webContents.on('select-bluetooth-device', (event, devices, callback) => {
    // Prevent default behavior
    event.preventDefault();
    // Cancel the request
    callback('');
  });
});

For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.

CVE-2022-29247

Impact

This vulnerability allows a renderer with JS execution to obtain access to a new renderer process with nodeIntegrationInSubFrames enabled which in turn allows effective access to ipcRenderer.

Please note the misleadingly named nodeIntegrationInSubFrames option does not implicitly grant Node.js access rather it depends on the existing sandbox setting. If your application is sandboxed then nodeIntegrationInSubFrames just gives access to the sandboxed renderer APIs (which includes ipcRenderer).

If your application then additionally exposes IPC messages without IPC senderFrame validation that perform privileged actions or return confidential data this access to ipcRenderer can in turn compromise your application / user even with the sandbox enabled.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.6
  • 15.5.5

Workarounds

Ensure that all IPC message handlers appropriately validate senderFrame as per our security tutorial here.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

CVE-2022-29257

Impact

This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components.

Please note that this kind of attack would require significant privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security.

Patches

This has been patched and the following Electron versions contain the fix:

  • 18.0.0-beta.6
  • 17.2.0
  • 16.2.0
  • 15.5.0

Workarounds

There are no workarounds for this issue, please update to a patched version of Electron.

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

CVE-2022-36077

Impact

When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.

Patches

This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:

  • 21.0.0-beta.1
  • 20.0.1
  • 19.0.11
  • 18.3.7

We recommend all apps upgrade to the latest stable version of Electron.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents:

app.on('web-contents-created', (e, webContents) => {
  webContents.on('will-redirect', (e, url) => {
    if (/^file:/.test(url)) e.preventDefault()
  })
})

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

Credit

Thanks to user @​coolcoolnoworries for reporting this issue.

CVE-2024-46993

Impact

The nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents.

Workaround

There are no app-side workarounds for this issue. You must update your Electron version to be protected.

Patches

  • v28.3.2
  • v29.3.3
  • v30.0.3

For More Information

If you have any questions or comments about this advisory, email us at security@electronjs.org.

CVE-2023-39956

Impact

Apps that are launched as command line executables are impacted. E.g. if your app exposes itself in the path as myapp --help

Specifically this issue can only be exploited if the following conditions are met:

  • Your app is launched with an attacker-controlled working directory
  • The attacker has the ability to write files to that working directory

This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. Please bear this in mind when reporting similar issues in the future.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 26.0.0-beta.13
  • 25.5.0
  • 24.7.1
  • 23.3.13
  • 22.3.19

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

CVE-2023-5217

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2023-44402

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 27.0.0-alpha.7
  • 26.2.1
  • 25.8.1
  • 24.8.3
  • 22.3.24

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Release Notes

electron/electron (electron)

v28.3.2: electron v28.3.2

Compare Source

Release Notes for v28.3.2

Fixes

  • Fixed an issue where console.log() in AudioWorkletGlobalScope produced incorrect output. #​41895
  • Rename patches/devtools_frontend to patches/devtools-frontend. #​42212

Other Changes

v28.3.1: electron v28.3.1

Compare Source

Release Notes for v28.3.1

Fixes

  • Fixed an issue on Windows where silent printing resulted in comically tiny renderer output. #​41837 (Also in 29, 30)

Other Changes

v28.3.0: electron v28.3.0

Compare Source

Release Notes for v28.3.0

Features

  • Added proxy configuring support for requests made with net module from utility process. #​41744 (Also in 29, 30)

Fixes

  • Fixed a bug where a window with maximization disabled and WCO enabled would still show its maximization button. #​41806

Other Changes

v28.2.10: electron v28.2.10

Compare Source

Release Notes for v28.2.10

Fixes

  • Fixed crash in Notification::Close() under libnotify 0.8.x with portal environment. #​41709 (Also in 29, 30)
  • Fixed usage of Storage.{get|set|clear}Cookies via the Chrome DevTools Protocol. #​41738 (Also in 29, 30)

Other Changes

Documentation

v28.2.9: electron v28.2.9

Compare Source

Release Notes for v28.2.9

Fixes

  • Fixed shell.showItemInFolder not opening Windows Explorer if the passed path contains forward slashes. #​41670 (Also in 29, 30)
  • Fixed an issue where the serial-port-added event improperly respected filters set by serial.requestPort(). #​41637 (Also in 29, 30)

Other Changes

v28.2.8: electron v28.2.8

Compare Source

Release Notes for v28.2.8

Other Changes

v28.2.7: electron v28.2.7

Compare Source

Release Notes for v28.2.7

Fixes

  • Fixed chrome://process-internals failing to load. #​41541 (Also in 29, 30)
  • Fixed an issue where user-did-{resign|become}-active were not emitted properly on macOS. #​41526 (Also in 29, 30)

Other Changes

v28.2.6: electron v28.2.6

Compare Source

Release Notes for v28.2.6

Fixes

  • Fixed a crash that can result from some kinds of dynamic imports. #​41491
  • Fixed an issue where webContents.print(options) failed if options was not passed or undefined is passed. #​41478 (Also in 29, 30)
  • Fixed saving traces from devtools performance panel. #​41492

Other Changes

v28.2.5: electron v28.2.5

Compare Source

Release Notes for v28.2.5

Other Changes

v28.2.4: electron v28.2.4

Compare Source

Release Notes for v28.2.4

Fixes

  • CSS style -webkit-app-region: drag; has no effect in full screen mode. #​41330 (Also in 27, 29)

Other Changes

v28.2.3: electron v28.2.3

Compare Source

Release Notes for v28.2.3

Fixes

  • Fixed a crash that started occurring sporadically with some types of macOS window close. #​41298 (Also in 29)
  • Fixed an issue where webContents.printToPDF could fail when certain combinations of margins and pageSize values are passed. #​41267 (Also in 29)
  • Fixed an issue where crashes in node::Environment destruction potentially wouldn't be propagated to the NodeService exit handler. #​41302 (Also in 27, 29)
  • Fixed an issue where zoom level settings did not persist per-session for webviews. #​41268 (Also in 27)

Other Changes

  • Updated Chromium to 120.0.6099.283. #​41262

v28.2.2: electron v28.2.2

Compare Source

Release Notes for v28.2.2

Fixes

  • Fixed an issue where select-usb-device did not respect the filter option in navigator.usb.requestDevice(). #​41198 (Also in 27, 29)

Other Changes

v28.2.1: electron v28.2.1

Compare Source

Release Notes for v28.2.1

Fixes

  • Apply module search paths restriction on worker and child process. #​41137 (Also in 27, 29)
  • Fixed a potential async_hooks crash when listening for the restore event on Windows after minimizing a maximized BrowserWindow. #​41145 (Also in 27, 29)
  • Fixed an issue where Request objects did not correctly copy headers into fetches. #​41103
  • Fixed an issue where non-modal windows with vibrancy could have incorrectly rounded corners on Sonoma. #​41036 (Also in 27, 29)
  • Fixed an issue where the printBackground option in webContents.printToPDF did not work as expected. #​41179 (Also in 29)
  • Fixed forked child process not able to send IPC message under some cases on macOS. #​41101 (Also in 26, 27, 29)
  • Fixed on-screen-keyboard not hiding for webviews under some cases. #​41150 (Also in 27, 29)

Other Changes

v28.2.0: electron v28.2.0

Compare Source

Release Notes for v28.2.0

Features

  • Added net module to utility process. #​40967 (Also in 27, 29)

Fixes

  • Fixed session.fromPartition() key lookup bug. #​41083 (Also in 29)
  • Fixed a potential crash when calling dialog.showMessageBoxSync. #​41042 (Also in 27, 29)
  • Fixed a potential renderer crash when inspecting elements. #​40981
  • Fixed macOS bug that causes window maximize button to be disabled in full-screen mode. #​41028 (Also in 27, 29)

Other Changes

  • Updated Chromium to 120.0.6099.227. #​41075

v28.1.4: electron v28.1.4

Compare Source

Release Notes for v28.1.4

Fixes

  • Fixed an issue where inAppPurchase.getProducts and inAppPurchase.purchasedProduct did not resolve as expected. #​40956 (Also in 27, 29)

Other Changes

v28.1.3: electron v28.1.3

Compare Source

Release Notes for v28.1.3

Fixes

  • Fixed a crash resultant from trying to listen to power-related events before the ready event was emitted on Linux. #​40924 (Also in 26, 27, 29)

v28.1.2: electron v28.1.2

Compare Source

Release Notes for v28.1.2

Fixes

  • Fixed a partition alloc ref count check for higher MacOS versions. #​40765 (Also in 29)
  • Fixed default protocol handler behavior on Windows. #​40909
  • Fixed the enabled/disabled behavior of the maximize/fullscreen button of macOS windows. #​40896 (Also in 27, 29)
  • Unset all Node envs in node process when parent is a foreign process. #​40880 (Also in 26, 27, 29)

Other Changes

  • Updated Chromium to 120.0.6099.199. #​40762

v28.1.1: electron v28.1.1

Compare Source

Release Notes for v28.1.1

Fixes

  • Fixed incorrect title bar shown on frameless transparent windows. #​40867 (Also in 27, 29)

v28.1.0: electron v28.1.0

Compare Source

Release Notes for v28.1.0

Features

  • Added an option in protocol.registerSchemesAsPrivileged to allow V8 code cache in custom schemes. #​40709 (Also in 27)

Fixes

  • Fixed documentation of the default --inspect port. #​40743 (Also in 27)
  • Prevent node mode to be used as script runner by other apps on macOS. #​40710 (Also in 26, 27)

Other Changes

v28.0.0: electron v28.0.0

Compare Source

Release Notes for 28.0.0

Stack Upgrades

Breaking Changes

  • The BrowserWindow.getTrafficLightPosition() and BrowserWindow.setTrafficLightPosition() methods have been removed. #​39479
  • The app.runningUnderRosettaTranslation() method has been removed. #​39956
  • The ipcRenderer.sendTo() method has been removed. #​39087
  • The scroll-touch-{begin,end,edge} events have been removed. #​39814
  • Setting backgroundThrottling to false will disable frames throttling in the BrowserWindow for all WebContents displayed by it. #​38924

Features

Additions
  • Enabled ESM support. #​37535
  • The UtilityProcess API now supports ESM entrypoints. #​40047
  • Added several properties to the display object including detected, maximumCursorSize, and nativeOrigin. #​40554
  • Added support for ELECTRON_OZONE_PLATFORM_HINT environment variable on Linux. #​39792

In addition to enabling ESM support in Electron itself, Electron Forge also supports using ESM to package, build and develop Electron applications. You can find this support in Forge v7.0.0 or higher: https://github.com/electron/forge/releases/tag/v7.0.0

  • Added API to help apps know when to avoid semitransparent backgrounds. #​39631 (Also in 26, 27)
  • Added getWebRTCUDPPortRange and setWebRTCUDPPortRange APIs to specify UDP port range for WebRTC. #​39046
  • Added keyboardLock to ses.setPermissionRequestHandler(handler). #​40460 (Also in 26, 27)
  • Added mouse-enter and mouse-leave Tray events for Windows. #​40072
  • Added a generateTaggedPDF option to webContents.printToPDF() to allow generating tagged (accessible) PDFs. #​39563
  • Added a tabbingIdentifier property to BrowserWindow. #​39980 (Also in 26, 27)
  • Added middle click mouse event to tray icon. #​39926
  • Added several properties to the display object including detected, maximumCursorSize, and nativeOrigin. #​40554
  • Added support for ELECTRON_OZONE_PLATFORM_HINT environment variable on Linux. #​39792
  • Added support for chrome.scripting extension APIs. #​39395 (Also in 25, 26, 27)
  • Added support for several more extensions manifest keys including host_permissions, author, and short_name. #​39599 (Also in 26, 27)
  • Added the ability to send HTTP headers with webContents.downloadURL(). #​39455 (Also in 25, 26, 27)
  • Changed systemPreferences.getColor(name) to return an RGBA hex value (#RRGGBBAA) instead of a plain RGB (#RRGGBB) value. #​38960
  • Honor XDG dark theme preferences on Linux. #​38977 (Also in 25, 26, 27)
  • Improved compatibility with CommonJS modules in sandboxed preload scripts by passing dummy module.exports. #​39484
Improvements
  • Improved fork() and execve() performance for child_process API on Linux. #​39253
  • Fixed resizing performance issue on macOS. #​40586 (Also in 26, 27)
  • Fixed opaque window performance regression on DWM. #​39895 (Also in 27)
  • Re-enabled partition alloc on macOS. #​40230
Removed/Deprecated
  • The app.runningUnderRosettaTranslation property has been deprecated. #​39897 (Also in 25, 26, 27)
  • The gpu-process-crashed event on app has been deprecated. #​40195
  • The renderer-process-crashed event on app and crashed event on WebContents and <webview> have been deprecated. #​40089

Fixes

  • Fixed an issue that prevented MessagePorts from being garbage collected when not referenced. #​40201
  • Fixed app incorrectly activating panel windows on macOS Sonoma. #​40465
  • Fixed file paths passed to shell.showItemInFolder not being escaped in Linux. #​40562
  • Fixed loading nested ESM dependencies in node_modules. Support the throwIfNoEntry option in fs.statSync/fs.lstatSync in asar files. #​40224
  • Fixed same-party cookie functionality for first party sets. #​40526
  • Use activateIgnoringOtherApps for focusing non-panels on macOS. #​40621
Also in earlier versions...
  • Fixed Windows Mica / Acrylic background material effects on frameless windows. #​39708 (Also in 27)
  • Fixed BrowserView.setBounds() calls not painting view in new bounds in some cases. #​39994 (Also in 25, 26, 27)
  • Fixed app.runningUnderARM64Translation() always returning true on ARM64. #​39920 (Also in 25, 26, 27)
  • Fixed will-navigate not being emitted when pressing links in chrome: pages. #​40525 (Also in 27)
  • Fixed a webContents.capturePage() issue that caused an empty image to be returned for fully-occluded windows on Linux and Windows. #​40185 (Also in 25, 26, 27)
  • Fixed a potential issue with async_hook corruption in some error contexts. #​40594 (Also in 26, 27)
  • Fixed an error changing file format in dialog.showOpenDialog on macOS. #​40346 (Also in 27)
  • Fixed an error where listening to certain chrome.tabs events would throw incorrectly. #​39729 (Also in 25, 26, 27)
  • Fixed an issue where BrowserWindows could crash on macOS with frame: false and roundedCorners: false when going fullscreen. #​39747 (Also in 25, 26, 27)
  • Fixed an issue where WebViews could sometimes crash on unload. #​40445 (Also in 26, 27)
  • Fixed an issue where Windows Toast notifications weren't properly dismissed from the Action Center on notification.close() if they'd previously been dismissed. #​40243 (Also in 26, 27)
  • Fixed an issue where BrowserViews that had their bounds set prior to being added to a BrowserWindow could have unexpected incorrect offsets. #​39605 (Also in 25, 26, 27)
  • Fixed an issue where chrome://gpu failed to load. #​39556 (Also in 25, 26, 27)
  • Fixed an issue where navigator.keyboard.lock() did not work per latest expected behavior. #​40389 (Also in 26, 27)
  • Fixed an issue where webContents.print could fail when options is a frozen object. #​39985 (Also in 25, 26, 27)
  • Fixed an issue where accelerators representing DOM keys were not correctly converted in webContents.sendInputEvent(). #​39776 (Also in 25, 26, 27)
  • Fixed an issue where calling loadURL during some webContents url loading events could crash. #​40143 (Also in 24, 25, 26, 27)
  • Fixed an issue where calling show() on a child BrowserWindow would show all other children attached to the same parent on macOS. #​40062 (Also in 24, 25, 26, 27)
  • Fixed an issue where certain properties of chrome.tabs Tab objects were not properly considered privileged. #​39595 (Also in 25, 26, 27)
  • Fixed an issue where child windows opened when the parent window is already fullscreen did not respect the child windows' fullscreenability and resizability settings. #​39620 (Also in 24, 25, 26, 27)
  • Fixed an issue where closing and opening a minimized DevTools window would not work as expected. #​40091 (Also in 25, 26, 27)
  • Fixed an issue where pressing the escape key did not exit PDF presentation mode. #​39616 (Also in 25, 26, 27)
  • Fixed an issue where the Node.js assert module did not work in the renderer process. #​39540 (Also in 24, 25, 26, 27)
  • Fixed an issue where using webcrypto.subtle.importKey() could error and fail if SharedArrayBuffers are not defined. #​40070 (Also in 27)
  • Fixed an issue where vibrant windows incorrectly have square corners when they're modals on macOS. #​39979 (Also in 25, 26, 27)
  • Fixed an issue with applying vibrancy on non-transparent windows on macOS. #​40109 (Also in 27)
  • Fixed an issue with webContents interaction with fullscreen and WCO on macOS. #​40219 (Also in 25, 26, 27)
  • Fixed an unexpectedly thrown error in some unsupported chrome extensions. #​40514 (Also in 26, 27)
  • Fixed crash on shutdown in TLS sockets with Node.js HTTP/2 connections. #​39928 (Also in 25, 26, 27)
  • Fixed decorations for tiled windows on Wayland. #​39523 (Also in 22, 24, 25, 26, 27)
  • Fixed deprecated gpu-process-crashed / renderer-process-crashed events being emitted twice and with incorrect arguments. #​40090 (Also in 22, 24, 25, 26, 27)
  • Fixed devtools to allow restoring saved dock state on Windows. #​39734 (Also in 25, 26, 27)
  • Fixed how screen readers are detected on Windows to

@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from a9b3bd6 to 594634b Compare August 19, 2025 18:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants