electron-updater CVE-2026-54673
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network redirect with low complexity; requires a credentialed feed (PR:L) and an update check (UI:R); credential crosses into attacker origin (S:C) for high confidentiality, no integrity/availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler (HttpExecutor.prepareRedirectUrlOptions) only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers - most notably PRIVATE-TOKEN (used by GitLab's personal access token flow) and mixed-case Authorization (used by GitLab's Bearer/OAuth flow) - were not stripped and could be forwarded to an attacker-controlled cross-origin redirect destination. This issue has been fixed in version 9.7.0.
AnalysisAI
Credential leakage in electron-updater (the auto-update component of electron-builder / builder-util-runtime) before 9.7.0 allows an attacker controlling a redirect target to harvest update-feed credentials. The HTTP redirect handler only stripped a header keyed exactly as lowercase "authorization", so PRIVATE-TOKEN (GitLab personal access tokens) and mixed-case Authorization (GitLab Bearer/OAuth) headers were forwarded to attacker-controlled cross-origin redirect destinations. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target application uses electron-updater (< 9.7.0) with a credentialed update feed that sends a header other than exactly-lowercase "authorization" - concretely GitLab's PRIVATE-TOKEN personal-access-token header or a mixed-case Authorization Bearer/OAuth header - and that the update request encounters an HTTP redirect to a host the attacker controls or can inject. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N, base 8.2) reflects a network-reachable, low-complexity issue with high confidentiality impact on both the vulnerable and a subsequent system (SC:H captures the credential crossing into the attacker's origin), no integrity/availability impact, and passive user interaction - the update check itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An Electron app configured to pull updates from a private GitLab feed sends its PRIVATE-TOKEN or Authorization header to the update server; an attacker who can influence or compromise that server (or a host in the redirect path) returns a 3xx redirect to an attacker-controlled origin. Because electron-updater fails to strip the non-lowercase-"authorization" credential header on redirect, the user's GitLab token is replayed to the attacker, who then uses it to access the victim's GitLab resources. … |
| Remediation | Upgrade the electron-updater / builder-util-runtime dependency to version 9.7.0 or later, which corrects the header-stripping logic to remove all credential-bearing headers (case-insensitive Authorization and PRIVATE-TOKEN) before following a cross-origin redirect; this is the primary and complete fix (Vendor-released patch: 9.7.0, commit https://github.com/electron-userland/electron-builder/commit/22a7532bd01b9fb42cff7c58d599c7ad683569fe, advisory https://github.com/electron-userland/electron-builder/security/advisories/GHSA-p2f4-r6v6-j797). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Electron applications in production and development using electron-updater versions prior to 9.7.0. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Electron Builder
View allelectron-updater allows for automatic updates for Electron apps. Rated high severity (CVSS 7.5), this vulnerability is r
Local arbitrary code execution in electron-builder (app-builder-lib) AppImage targets prior to 26.15.0 occurs because an
electron-builder is a solution to package and build a ready for distribution Electron, Proton Native app for macOS, Wind
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today