Node.js CVE-2026-34780
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
5DescriptionNVD
Impact
Apps that pass VideoFrame objects (from the WebCodecs API) across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script.
Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Apps that do not bridge VideoFrame objects are not affected.
Workarounds
Do not pass VideoFrame objects across contextBridge. If an app needs to transfer video frame data, serialize it to an ArrayBuffer or ImageBitmap before bridging.
Fixed Versions
41.0.0-beta.840.7.039.8.0
For more information
If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
AnalysisAI
Context isolation bypass in Electron applications enables privilege escalation when VideoFrame objects are bridged to the main world. Attackers with XSS capabilities can leverage improperly bridged WebCodecs API VideoFrame objects to escape the isolated context and access Node.js APIs exposed in preload scripts. CVSS 8.4 (High) with network attack vector requiring high complexity and user interaction. No public exploit identified at time of analysis, though proof-of-concept development is feasible given the detailed vendor disclosure.
Technical ContextAI
Electron's contextBridge API is designed to safely expose limited APIs from the isolated preload script context to the untrusted main world renderer context. This vulnerability (CWE-668: Exposure of Resource to Wrong Sphere) affects Electron's handling of VideoFrame objects from the WebCodecs API when passed through contextBridge.exposeInMainWorld(). The VideoFrame object contains internal references that, when improperly sanitized during context bridging, create a capability leak allowing main world JavaScript to traverse back into the isolated context. The WebCodecs API provides low-level access to video encoders/decoders, and VideoFrame represents raw video frame data with associated metadata. The vulnerability specifically affects the npm package 'electron' across versions prior to the patched releases, exploiting the object serialization boundary between Node.js-enabled isolated contexts and the browser-like main world.
RemediationAI
Vendor-released patches are available: upgrade to Electron 41.0.0-beta.8 or later for version 41.x applications, upgrade to 40.7.0 or later for version 40.x applications, or upgrade to 39.8.0 or later for version 39.x applications. The patches fix the improper object handling when VideoFrame objects cross the context isolation boundary. For applications unable to upgrade immediately, implement the recommended workaround by avoiding direct bridging of VideoFrame objects across contextBridge; instead, serialize video frame data to ArrayBuffer or ImageBitmap formats before passing to the main world, which eliminates the capability leak. Review preload scripts and contextBridge.exposeInMainWorld() implementations to identify any VideoFrame bridging patterns. Complete remediation guidance and patched versions are documented in the GitHub Security Advisory at https://github.com/electron/electron/security/advisories/GHSA-jfqg-hf23-qpw2. Contact security@electronjs.org for implementation questions.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-668 – Exposure of Resource to Wrong Sphere
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-jfqg-hf23-qpw2