Fluid Attacks Database

Description

Electron: Service worker can spoof executeJavaScript IPC replies

Impact

A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data.

Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions.

Workarounds

Do not trust the return value of webContents.executeJavaScript() for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.

Fixed Versions

41.0.0

40.8.1

39.8.1

38.8.6

For more information

If there are any questions or comments about this advisory, please email [email protected]

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	electron	>=0 <38.8.6 \|\| >=39.0.0-alpha.1 <39.8.1 \|\| >=40.0.0-alpha.1 <40.8.1 \|\| >=41.0.0-alpha.1 <41.0.0	38.8.6, 39.8.1, 40.8.1, 41.0.0

Aliases

1. CVE-2026-347782. NVD-2026-347783. OSV-2026-347784. GHSA-xj5x-m3f3-5x3h5. GCVE-2026-34778

References

1. https://github.com/electron/electron/security/advisories/GHSA-xj5x-m3f3-5x3h

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.