Red Hat CVE-2026-34767
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
Apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.
An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.
Apps that do not reflect external input into response headers are not affected.
Workarounds
Validate or sanitize any untrusted input before including it in a response header name or value.
Fixed Versions
41.0.340.8.339.8.338.8.6
For more information
If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)
AnalysisAI
HTTP response header injection in Electron allows remote attackers to inject malicious headers via crafted input reflected in response headers when custom protocol handlers or webRequest.onHeadersReceived are used. An attacker can manipulate cookies, content security policy, or cross-origin access controls in affected applications. This affects Electron 41.x before 41.0.3, 40.x before 40.8.3, 39.x before 39.8.3, and 38.x before 38.8.6; no public exploit code is documented at time of analysis.
Technical ContextAI
The vulnerability exists in Electron's protocol handling and web request interception mechanisms. When applications register custom protocol handlers via protocol.handle() or protocol.registerSchemesAsPrivileged(), or modify response headers via webRequest.onHeadersReceived event handlers, unsanitized external input can be directly injected into HTTP response header names or values. This is a classic header injection vulnerability (CWE-74: Improper Neutralization of Special Elements used in an HTTP Header) where newline characters or header-delimiter syntax in attacker-controlled data allow injection of additional headers. The root cause is insufficient input validation before headers are constructed and sent to clients. The vulnerability is specific to Electron npm packages across multiple major versions.
RemediationAI
Upgrade to patched versions: Electron 41.0.3 or later, 40.8.3 or later, 39.8.3 or later, or 38.8.6 or later. As a workaround, validate and sanitize all untrusted input before including it in response header names or values; specifically, reject or escape input containing newline characters (CR/LF) and other HTTP header delimiters. For applications using webRequest.onHeadersReceived, implement strict allowlisting of header values and sanitize any dynamic content. Refer to the GitHub Security Advisory at https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v for additional context.
Same technique Code Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-4p4r-m79c-wq3v