Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/electron@20.0.0-beta.11
purl pkg:npm/electron@20.0.0-beta.11
Next non-vulnerable version 35.7.5
Latest non-vulnerable version 42.0.0-alpha.5
Risk 10.0
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-7eu1-94qk-nuar
Aliases:
CVE-2023-44402
GHSA-7m48-wc93-9g85
ASAR Integrity bypass via filetype confusion in electron This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against.
22.3.24
Affected by 3 other vulnerabilities.
24.8.3
Affected by 3 other vulnerabilities.
25.8.1
Affected by 3 other vulnerabilities.
26.2.1
Affected by 3 other vulnerabilities.
27.0.0-alpha.7
Affected by 0 other vulnerabilities.
27.0.0-beta.1
Affected by 4 other vulnerabilities.
VCID-a795-r67e-p3ck
Aliases:
CVE-2023-29198
GHSA-p7v2-p9m8-qqg7
Improper Check for Unusual or Exceptional Conditions Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps using `contextIsolation` and `contextBridge` are affected. This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. This issue is only exploitable if an API exposed to the main world via `contextBridge` can return an object or array that contains a javascript object which cannot be serialized, for instance, a canvas rendering context. This would normally result in an exception being thrown `Error: object could not be cloned`. The app side workaround is to ensure that such a case is not possible. Ensure all values returned from a function exposed over the context bridge are supported. This issue has been fixed in versions `25.0.0-alpha.2`, `24.0.1`, `23.2.3`, and `22.3.6`.
22.3.6
Affected by 6 other vulnerabilities.
23.2.3
Affected by 4 other vulnerabilities.
24.0.1
Affected by 0 other vulnerabilities.
24.1.0
Affected by 6 other vulnerabilities.
25.0.0-alpha.2
Affected by 4 other vulnerabilities.
VCID-f81v-9fv8-93cd
Aliases:
CVE-2023-5217
GHSA-qqvq-6xgj-jw8g
Out-of-bounds Write Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
22.3.25
Affected by 2 other vulnerabilities.
23.0.0-alpha.1
Affected by 6 other vulnerabilities.
24.8.5
Affected by 2 other vulnerabilities.
25.0.0-alpha.1
Affected by 5 other vulnerabilities.
25.8.4
Affected by 2 other vulnerabilities.
26.0.0-alpha.1
Affected by 4 other vulnerabilities.
26.2.4
Affected by 2 other vulnerabilities.
27.0.0-beta.8
Affected by 2 other vulnerabilities.
VCID-j7d6-zp3s-67fq
Aliases:
CVE-2024-46993
GHSA-6r2x-8pq8-9489
Electron vulnerable to Heap Buffer Overflow in NativeImage ### Impact The `nativeImage.createFromPath()` and `nativeImage.createFromBuffer()` functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. ### Workaround There are no app-side workarounds for this issue. You must update your Electron version to be protected. ### Patches - `v28.3.2` - `v29.3.3` - `v30.0.3` ### For More Information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).
28.3.2
Affected by 1 other vulnerability.
29.3.3
Affected by 1 other vulnerability.
30.0.3
Affected by 2 other vulnerabilities.
VCID-qd52-rbd7-qkbn
Aliases:
CVE-2025-55305
GHSA-vmqv-hx8q-j7mg
Electron has ASAR Integrity Bypass via resource modification ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `38.0.0-beta.6` * `37.3.1` * `36.8.1` * `35.7.5` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)
35.7.5
Affected by 0 other vulnerabilities.
36.8.1
Affected by 0 other vulnerabilities.
37.3.1
Affected by 0 other vulnerabilities.
38.0.0-beta.6
Affected by 0 other vulnerabilities.
VCID-w7f7-5frp-n3br
Aliases:
CVE-2023-39956
GHSA-7x97-j373-85x5
Improper Control of Generation of Code ('Code Injection') Electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Electron apps that are launched as command line executables are impacted. Specifically this issue can only be exploited if the following conditions are met: 1. The app is launched with an attacker-controlled working directory and 2. The attacker has the ability to write files to that working directory. This makes the risk quite low, in fact normally issues of this kind are considered outside of our threat model as similar to Chromium we exclude Physically Local Attacks but given the ability for this issue to bypass certain protections like ASAR Integrity it is being treated with higher importance. This issue has been fixed in versions:`26.0.0-beta.13`, `25.4.1`, `24.7.1`, `23.3.13`, and `22.3.19`. There are no app side workarounds, users must update to a patched version of Electron.
22.3.19
Affected by 0 other vulnerabilities.
22.3.21
Affected by 5 other vulnerabilities.
23.3.13
Affected by 3 other vulnerabilities.
24.7.1
Affected by 5 other vulnerabilities.
25.5.0
Affected by 5 other vulnerabilities.
26.0.0-beta.13
Affected by 0 other vulnerabilities.
26.0.0
Affected by 5 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T23:39:58.767427+00:00 GitLab Importer Affected by VCID-qd52-rbd7-qkbn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2025-55305.yml 38.4.0
2026-04-16T23:31:59.577000+00:00 GitLab Importer Affected by VCID-j7d6-zp3s-67fq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2024-46993.yml 38.4.0
2026-04-16T22:44:38.551036+00:00 GitLab Importer Affected by VCID-7eu1-94qk-nuar https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-44402.yml 38.4.0
2026-04-16T22:39:39.610430+00:00 GitLab Importer Affected by VCID-f81v-9fv8-93cd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-5217.yml 38.4.0
2026-04-16T22:37:36.522500+00:00 GitLab Importer Affected by VCID-a795-r67e-p3ck https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-29198.yml 38.4.0
2026-04-16T22:37:25.147341+00:00 GitLab Importer Affected by VCID-w7f7-5frp-n3br https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-39956.yml 38.4.0
2026-04-12T01:00:44.336508+00:00 GitLab Importer Affected by VCID-qd52-rbd7-qkbn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2025-55305.yml 38.3.0
2026-04-12T00:51:51.643741+00:00 GitLab Importer Affected by VCID-j7d6-zp3s-67fq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2024-46993.yml 38.3.0
2026-04-12T00:04:15.297379+00:00 GitLab Importer Affected by VCID-7eu1-94qk-nuar https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-44402.yml 38.3.0
2026-04-11T23:59:06.009727+00:00 GitLab Importer Affected by VCID-f81v-9fv8-93cd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-5217.yml 38.3.0
2026-04-11T23:56:55.573494+00:00 GitLab Importer Affected by VCID-a795-r67e-p3ck https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-29198.yml 38.3.0
2026-04-11T23:56:43.534625+00:00 GitLab Importer Affected by VCID-w7f7-5frp-n3br https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-39956.yml 38.3.0
2026-04-03T01:08:56.707945+00:00 GitLab Importer Affected by VCID-qd52-rbd7-qkbn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2025-55305.yml 38.1.0
2026-04-03T00:59:56.368130+00:00 GitLab Importer Affected by VCID-j7d6-zp3s-67fq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2024-46993.yml 38.1.0
2026-04-03T00:08:55.596440+00:00 GitLab Importer Affected by VCID-7eu1-94qk-nuar https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-44402.yml 38.1.0
2026-04-03T00:02:10.706694+00:00 GitLab Importer Affected by VCID-f81v-9fv8-93cd https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-5217.yml 38.1.0
2026-04-02T23:59:59.388541+00:00 GitLab Importer Affected by VCID-a795-r67e-p3ck https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-29198.yml 38.1.0
2026-04-02T23:59:47.886191+00:00 GitLab Importer Affected by VCID-w7f7-5frp-n3br https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-39956.yml 38.1.0