CVE-2026-34778
MEDIUMSeverity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data.
Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions.
Workarounds
Do not trust the return value of webContents.executeJavaScript() for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.
Fixed Versions
41.0.040.8.139.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
AnalysisAI
Electron's service worker implementation allows spoofing of internal IPC reply messages, enabling a malicious service worker to inject attacker-controlled data into the main process's promise resolution from webContents.executeJavaScript() and related methods. This affects Electron versions prior to 41.0.0, 40.8.1, 39.8.1, and 38.8.6, and impacts only applications that register service workers and rely on executeJavaScript() return values for security decisions. The vulnerability requires local authenticated access and medium attack complexity, with no public exploit code or active exploitation confirmed at analysis time.
Technical ContextAI
Electron's webContents.executeJavaScript() and webFrameMain.executeJavaScript() methods use an internal IPC (Inter-Process Communication) channel to transmit code execution results from the renderer process back to the main process. The vulnerability stems from insufficient validation of reply messages on this internal channel (CWE-290: Improper Input Validation), allowing a service worker-which runs within the renderer process context-to craft and inject spoofed messages that the main process accepts as legitimate responses. This breaks the trust boundary between the renderer and main process for security-critical data flows. The NPM package 'electron' across multiple versions (before the fixed versions) is affected, as indicated by the CPE identifiers.
RemediationAI
Upgrade Electron to version 41.0.0 or later (recommended for active development), or to the latest patch version within your supported release line: 40.8.1 for the 40.x branch, 39.8.1 for the 39.x branch, or 38.8.6 for the 38.x branch. As an interim workaround before patching, do not use the return value of webContents.executeJavaScript() or webFrameMain.executeJavaScript() for security decisions; instead, implement dedicated and validated IPC channels (using ipcMain/ipcRenderer with explicit message validation) for all security-relevant communication between renderer and main processes. Applications not using service workers or not relying on executeJavaScript() for security logic face minimal real-world risk. Consult https://github.com/advisories/GHSA-xj5x-m3f3-5x3h for additional context.
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-xj5x-m3f3-5x3h