Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/electron@29.3.3
purl pkg:npm/electron@29.3.3
Next non-vulnerable version 35.7.5
Latest non-vulnerable version 42.0.0-alpha.5
Risk 3.1
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-qd52-rbd7-qkbn
Aliases:
CVE-2025-55305
GHSA-vmqv-hx8q-j7mg
Electron has ASAR Integrity Bypass via resource modification ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `38.0.0-beta.6` * `37.3.1` * `36.8.1` * `35.7.5` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)
35.7.5
Affected by 0 other vulnerabilities.
36.8.1
Affected by 0 other vulnerabilities.
37.3.1
Affected by 0 other vulnerabilities.
38.0.0-beta.6
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-j7d6-zp3s-67fq Electron vulnerable to Heap Buffer Overflow in NativeImage ### Impact The `nativeImage.createFromPath()` and `nativeImage.createFromBuffer()` functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. ### Workaround There are no app-side workarounds for this issue. You must update your Electron version to be protected. ### Patches - `v28.3.2` - `v29.3.3` - `v30.0.3` ### For More Information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org). CVE-2024-46993
GHSA-6r2x-8pq8-9489

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T23:40:00.079579+00:00 GitLab Importer Affected by VCID-qd52-rbd7-qkbn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2025-55305.yml 38.4.0
2026-04-16T23:32:00.907467+00:00 GitLab Importer Fixing VCID-j7d6-zp3s-67fq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2024-46993.yml 38.4.0
2026-04-12T01:00:45.742161+00:00 GitLab Importer Affected by VCID-qd52-rbd7-qkbn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2025-55305.yml 38.3.0
2026-04-12T00:51:53.063987+00:00 GitLab Importer Fixing VCID-j7d6-zp3s-67fq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2024-46993.yml 38.3.0
2026-04-07T04:58:08.202622+00:00 GHSA Importer Fixing VCID-j7d6-zp3s-67fq https://github.com/advisories/GHSA-6r2x-8pq8-9489 38.1.0
2026-04-03T01:08:58.112203+00:00 GitLab Importer Affected by VCID-qd52-rbd7-qkbn https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2025-55305.yml 38.1.0
2026-04-03T00:59:57.873566+00:00 GitLab Importer Fixing VCID-j7d6-zp3s-67fq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2024-46993.yml 38.1.0
2026-04-02T12:41:38.671030+00:00 GitLab Importer Fixing VCID-j7d6-zp3s-67fq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2024-46993.yml 38.0.0
2026-04-01T12:56:50.462626+00:00 GithubOSV Importer Fixing VCID-j7d6-zp3s-67fq https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-6r2x-8pq8-9489/GHSA-6r2x-8pq8-9489.json 38.0.0