CVE-2026-34778
MEDIUM
GHSA-xj5x-m3f3-5x3h
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
3Description
### Impact A service worker running in a session could spoof reply messages on the internal IPC channel used by `webContents.executeJavaScript()` and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered and use the result of `webContents.executeJavaScript()` (or `webFrameMain.executeJavaScript()`) in security-sensitive decisions. ### Workarounds Do not trust the return value of `webContents.executeJavaScript()` for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers. ### Fixed Versions * `41.0.0` * `40.8.1` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])
Analysis
Electron's service worker implementation allows spoofing of internal IPC reply messages, enabling a malicious service worker to inject attacker-controlled data into the main process's promise resolution from webContents.executeJavaScript() and related methods. This affects Electron versions prior to 41.0.0, 40.8.1, 39.8.1, and 38.8.6, and impacts only applications that register service workers and rely on executeJavaScript() return values for security decisions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today