Fluid Attacks Database

Description

Electron: HTTP Response Header Injection in custom protocol handlers and webRequest

Impact

Apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.

An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.

Apps that do not reflect external input into response headers are not affected.

Workarounds

Validate or sanitize any untrusted input before including it in a response header name or value.

Fixed Versions

41.0.3

40.8.3

39.8.3

38.8.6

For more information

If there are any questions or comments about this advisory, send an email to [email protected]

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	electron	>=0 <38.8.6 \|\| >=39.0.0-alpha.1 <39.8.3 \|\| >=40.0.0-alpha.1 <40.8.3 \|\| >=41.0.0-alpha.1 <41.0.3	38.8.6, 39.8.3, 40.8.3, 41.0.3

Aliases

1. CVE-2026-347672. NVD-2026-347673. OSV-2026-347674. GHSA-4p4r-m79c-wq3v5. GCVE-2026-34767

References

1. https://github.com/electron/electron/security/advisories/GHSA-4p4r-m79c-wq3v

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.