Search for vulnerabilities
| Vulnerability ID | VCID-hmgu-cvce-h3e4 |
| Aliases |
CVE-2022-29257
GHSA-77xc-hjv8-ww97 |
| Summary | AutoUpdater module fails to validate certain nested components of the bundle ### Impact This vulnerability allows attackers who have control over a given apps update server / update storage to serve maliciously crafted update packages that pass the code signing validation check but contain malicious code in some components. Please note that this kind of attack would require **significant** privileges in your own auto updating infrastructure and the ease of that attack entirely depends on your infrastructure security. ### Patches This has been patched and the following Electron versions contain the fix: * `18.0.0-beta.6` * `17.2.0` * `16.2.0` * `15.5.0` ### Workarounds There are no workarounds for this issue, please update to a patched version of Electron. ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org) |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| epss | 0.00451 | https://api.first.org/data/v1/epss?cve=CVE-2022-29257 |
| cvssv3.1_qr | MODERATE | https://github.com/advisories/GHSA-77xc-hjv8-ww97 |
| cvssv3.1 | 6.6 | https://github.com/electron/electron |
| generic_textual | MODERATE | https://github.com/electron/electron |
| cvssv3.1 | 6.6 | https://github.com/electron/electron/security/advisories/GHSA-77xc-hjv8-ww97 |
| cvssv3.1_qr | MODERATE | https://github.com/electron/electron/security/advisories/GHSA-77xc-hjv8-ww97 |
| generic_textual | MODERATE | https://github.com/electron/electron/security/advisories/GHSA-77xc-hjv8-ww97 |
| ssvc | Track | https://github.com/electron/electron/security/advisories/GHSA-77xc-hjv8-ww97 |
| cvssv3.1 | 6.6 | https://nvd.nist.gov/vuln/detail/CVE-2022-29257 |
| generic_textual | MODERATE | https://nvd.nist.gov/vuln/detail/CVE-2022-29257 |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.63966 |
| EPSS Score | 0.00451 |
| Published At | May 29, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-05-29T09:31:27.875774+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-77xc-hjv8-ww97/GHSA-77xc-hjv8-ww97.json | 38.6.0 |