Fluid Attacks Database

Description

Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows

Impact

On Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers.

Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.

Workarounds

Validate the protocol name matches /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().

Fixed Versions

41.0.0

40.8.1

39.8.1

38.8.6

For more information

If there are any questions or comments about this advisory, please email [email protected]

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	electron	>=0 <38.8.6 \|\| >=39.0.0-alpha.1 <39.8.1 \|\| >=40.0.0-alpha.1 <40.8.1 \|\| >=41.0.0-alpha.1 <41.0.0	38.8.6, 39.8.1, 40.8.1, 41.0.0

Aliases

1. CVE-2026-347732. NVD-2026-347733. OSV-2026-347734. GHSA-mwmh-mq4g-g6gr5. GCVE-2026-34773

References

1. https://github.com/electron/electron/security/advisories/GHSA-mwmh-mq4g-g6gr

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.