Skip to main content

electron-updater CVE-2026-54673

HIGH
Information Exposure (CWE-200)
2026-06-30 GitHub_M
8.2
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.8 MEDIUM

Network redirect with low complexity; requires a credentialed feed (PR:L) and an update check (UI:R); credential crosses into attacker origin (S:C) for high confidentiality, no integrity/availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 23:26 vuln.today

DescriptionCVE.org

electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler (HttpExecutor.prepareRedirectUrlOptions) only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers - most notably PRIVATE-TOKEN (used by GitLab's personal access token flow) and mixed-case Authorization (used by GitLab's Bearer/OAuth flow) - were not stripped and could be forwarded to an attacker-controlled cross-origin redirect destination. This issue has been fixed in version 9.7.0.

AnalysisAI

Credential leakage in electron-updater (the auto-update component of electron-builder / builder-util-runtime) before 9.7.0 allows an attacker controlling a redirect target to harvest update-feed credentials. The HTTP redirect handler only stripped a header keyed exactly as lowercase "authorization", so PRIVATE-TOKEN (GitLab personal access tokens) and mixed-case Authorization (GitLab Bearer/OAuth) headers were forwarded to attacker-controlled cross-origin redirect destinations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Position on update redirect path
Delivery
App sends update request with PRIVATE-TOKEN header
Exploit
Return 3xx redirect to attacker origin
Execution
electron-updater forwards credential header
Persist
Capture GitLab token
Impact
Access victim's private resources

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application uses electron-updater (< 9.7.0) with a credentialed update feed that sends a header other than exactly-lowercase "authorization" - concretely GitLab's PRIVATE-TOKEN personal-access-token header or a mixed-case Authorization Bearer/OAuth header - and that the update request encounters an HTTP redirect to a host the attacker controls or can inject. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N, base 8.2) reflects a network-reachable, low-complexity issue with high confidentiality impact on both the vulnerable and a subsequent system (SC:H captures the credential crossing into the attacker's origin), no integrity/availability impact, and passive user interaction - the update check itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An Electron app configured to pull updates from a private GitLab feed sends its PRIVATE-TOKEN or Authorization header to the update server; an attacker who can influence or compromise that server (or a host in the redirect path) returns a 3xx redirect to an attacker-controlled origin. Because electron-updater fails to strip the non-lowercase-"authorization" credential header on redirect, the user's GitLab token is replayed to the attacker, who then uses it to access the victim's GitLab resources. …
Remediation Upgrade the electron-updater / builder-util-runtime dependency to version 9.7.0 or later, which corrects the header-stripping logic to remove all credential-bearing headers (case-insensitive Authorization and PRIVATE-TOKEN) before following a cross-origin redirect; this is the primary and complete fix (Vendor-released patch: 9.7.0, commit https://github.com/electron-userland/electron-builder/commit/22a7532bd01b9fb42cff7c58d599c7ad683569fe, advisory https://github.com/electron-userland/electron-builder/security/advisories/GHSA-p2f4-r6v6-j797). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Electron applications in production and development using electron-updater versions prior to 9.7.0. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54673 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy