Microsoft
CVE-2026-34773
MEDIUM
Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
On Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers.
Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.
Workarounds
Validate the protocol name matches /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().
Fixed Versions
41.0.040.8.139.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
AnalysisAI
Electron's setAsDefaultProtocolClient() on Windows fails to validate protocol names before writing to the Windows registry, allowing local authenticated attackers to hijack protocol handlers by writing to arbitrary HKCU\Software\Classes\ subkeys when apps pass untrusted input as the protocol parameter. The vulnerability affects Electron versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0, and requires local access and low privileges; no public exploit has been identified at time of analysis.
Technical ContextAI
Electron is a framework for building cross-platform desktop applications using web technologies. On Windows, the setAsDefaultProtocolClient() API allows applications to register themselves as the default handler for custom protocol schemes (e.g., 'myapp://'). The vulnerability stems from insufficient input validation (CWE-20: Improper Input Validation) on the protocol name parameter before it is used to construct registry keys. Without validation, an attacker-controlled protocol name containing special characters or path traversal sequences can manipulate the registry write operation to target unintended subkeys under HKEY_CURRENT_USER\Software\Classes\, potentially overwriting legitimate protocol handler registrations. The affected CPE pkg:npm/electron indicates this affects the npm package across multiple major versions.
RemediationAI
Vendor-released patches are available: Electron 38.8.6, 39.8.1, 40.8.1, and 41.0.0 contain the fix. Applications must update to the appropriate patched version for their major version branch. As an interim workaround, applications should validate protocol names against the regular expression /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing them to app.setAsDefaultProtocolClient(); this ensures protocol names conform to RFC 3986 scheme syntax and prevents registry injection. Developers should also audit all callers of setAsDefaultProtocolClient() to identify whether untrusted input is being passed and apply the validation workaround immediately if such cases exist. For further guidance, contact security@electronjs.org or review https://github.com/electron/electron/security/advisories/GHSA-mwmh-mq4g-g6gr.
Same weakness CWE-20 – Improper Input Validation
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-mwmh-mq4g-g6gr