CVE-2025-55305 – electron

Package

Manager: npm
Name: electron
Vulnerable Version: >=0 <35.7.5 || >=36.0.0-alpha.1 <36.8.1 || >=37.0.0-alpha.1 <37.3.1 || >=38.0.0-alpha.1 <38.0.0-beta.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00013 pctl0.01523

Details

Electron has ASAR Integrity Bypass via resource modification ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `38.0.0-beta.6` * `37.3.1` * `36.8.1` * `35.7.5` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)

Metadata

Created: 2025-09-03T21:27:37Z
Modified: 2025-09-05T16:10:10Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-vmqv-hx8q-j7mg/GHSA-vmqv-hx8q-j7mg.json
CWE IDs: ["CWE-829", "CWE-94"]
Alternative ID: GHSA-vmqv-hx8q-j7mg
Finding: F184
Auto approve: 1