Skip to main content

Builder Util Runtime

1 CVEs product

Monthly

CVE-2026-54673 HIGH This Week

Credential leakage in electron-updater (the auto-update component of electron-builder / builder-util-runtime) before 9.7.0 allows an attacker controlling a redirect target to harvest update-feed credentials. The HTTP redirect handler only stripped a header keyed exactly as lowercase "authorization", so PRIVATE-TOKEN (GitLab personal access tokens) and mixed-case Authorization (GitLab Bearer/OAuth) headers were forwarded to attacker-controlled cross-origin redirect destinations. There is no public exploit identified at time of analysis, but the upstream fix is published in version 9.7.0.

Gitlab Information Disclosure Electron Builder Builder Util Runtime
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.2%
EPSS 0% CVSS 8.2
HIGH This Week

Credential leakage in electron-updater (the auto-update component of electron-builder / builder-util-runtime) before 9.7.0 allows an attacker controlling a redirect target to harvest update-feed credentials. The HTTP redirect handler only stripped a header keyed exactly as lowercase "authorization", so PRIVATE-TOKEN (GitLab personal access tokens) and mixed-case Authorization (GitLab Bearer/OAuth) headers were forwarded to attacker-controlled cross-origin redirect destinations. There is no public exploit identified at time of analysis, but the upstream fix is published in version 9.7.0.

Gitlab Information Disclosure Electron Builder +1
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy