Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-743j-3qgs-rueu
Vulnerability ID VCID-743j-3qgs-rueu
Aliases CVE-2022-21718
GHSA-3p22-ghq8-v749
Summary Renderers can obtain access to random bluetooth device without permission in Electron ### Impact This vulnerability allows renderers to obtain access to a random bluetooth device via the [web bluetooth API](https://developer.mozilla.org/en-US/docs/Web/API/Web_Bluetooth_API) if the app has not configured a custom `select-bluetooth-device` event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device. All current stable versions of Electron are affected. ### Patches This has been patched and the following Electron versions contain the fix: * `17.0.0-alpha.6` * `16.0.6` * `15.3.5` * `14.2.4` * `13.6.6` ### Workarounds Adding this code to your app can workaround the issue. ```js app.on('web-contents-created', (event, webContents) => { webContents.on('select-bluetooth-device', (event, devices, callback) => { // Prevent default behavior event.preventDefault(); // Cancel the request callback(''); }); }); ``` For more information If you have any questions or comments about this advisory, email us at security@electronjs.org.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-668 Exposure of Resource to Wrong Sphere
CWE-862 Missing Authorization
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00848 https://api.first.org/data/v1/epss?cve=CVE-2022-21718
cvssv3.1_qr LOW https://github.com/advisories/GHSA-3p22-ghq8-v749
cvssv3.1 3.4 https://github.com/electron/electron
generic_textual LOW https://github.com/electron/electron
cvssv3.1 3.4 https://github.com/electron/electron/pull/32178
generic_textual LOW https://github.com/electron/electron/pull/32178
cvssv3.1 3.4 https://github.com/electron/electron/pull/32240
generic_textual LOW https://github.com/electron/electron/pull/32240
cvssv3.1 3.4 https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749
cvssv3.1_qr LOW https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749
generic_textual LOW https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749
cvssv3.1 3.4 https://nvd.nist.gov/vuln/detail/CVE-2022-21718
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2022-21718
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2022-21718
https://github.com/electron/electron
https://github.com/electron/electron/pull/32178
https://github.com/electron/electron/pull/32240
https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749
https://nvd.nist.gov/vuln/detail/CVE-2022-21718
GHSA-3p22-ghq8-v749 https://github.com/advisories/GHSA-3p22-ghq8-v749
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N Found at https://github.com/electron/electron
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N Found at https://github.com/electron/electron/pull/32178
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N Found at https://github.com/electron/electron/pull/32240
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N Found at https://github.com/electron/electron/security/advisories/GHSA-3p22-ghq8-v749
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-21718
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.75164
EPSS Score 0.00848
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T09:29:40.498388+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-3p22-ghq8-v749/GHSA-3p22-ghq8-v749.json 38.6.0