VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-qd52-rbd7-qkbn

Essentials
Severities (45)
References (15)
Severity details (34)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-qd52-rbd7-qkbn
Aliases	CVE-2025-55305 GHSA-vmqv-hx8q-j7mg
Summary	Electron has ASAR Integrity Bypass via resource modification ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `38.0.0-beta.6` * `37.3.1` * `36.8.1` * `35.7.5` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-829	Inclusion of Functionality from Untrusted Control Sphere
CWE-94	Improper Control of Generation of Code ('Code Injection')
CWE-494	Download of Code Without Integrity Check
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	6.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55305.json
epss	6e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-55305
epss	6e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-55305
epss	6e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-55305
epss	6e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-55305
epss	6e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-55305
epss	6e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-55305
epss	6e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-55305
epss	6e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-55305
epss	6e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-55305
epss	6e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-55305
epss	6e-05	https://api.first.org/data/v1/epss?cve=CVE-2025-55305
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-vmqv-hx8q-j7mg
cvssv3.1	6.1	https://github.com/electron/electron
generic_textual	MODERATE	https://github.com/electron/electron
cvssv3.1	6.1	https://github.com/electron/electron/commit/23a02934510fcf951428e14573d9b2d2a3c4f28b
generic_textual	MODERATE	https://github.com/electron/electron/commit/23a02934510fcf951428e14573d9b2d2a3c4f28b
ssvc	Track	https://github.com/electron/electron/commit/23a02934510fcf951428e14573d9b2d2a3c4f28b
cvssv3.1	6.1	https://github.com/electron/electron/commit/2e5a0b7220ebf955c6785cc5adb2e2b1cf77dac1
generic_textual	MODERATE	https://github.com/electron/electron/commit/2e5a0b7220ebf955c6785cc5adb2e2b1cf77dac1
ssvc	Track	https://github.com/electron/electron/commit/2e5a0b7220ebf955c6785cc5adb2e2b1cf77dac1
cvssv3.1	6.1	https://github.com/electron/electron/commit/3f92511cdecc39f46b0e86cce40a0c691e301c9d
generic_textual	MODERATE	https://github.com/electron/electron/commit/3f92511cdecc39f46b0e86cce40a0c691e301c9d
ssvc	Track	https://github.com/electron/electron/commit/3f92511cdecc39f46b0e86cce40a0c691e301c9d
cvssv3.1	6.1	https://github.com/electron/electron/commit/fdf29ce83870109d403f5c23ae529dbd0e8f4fee
generic_textual	MODERATE	https://github.com/electron/electron/commit/fdf29ce83870109d403f5c23ae529dbd0e8f4fee
ssvc	Track	https://github.com/electron/electron/commit/fdf29ce83870109d403f5c23ae529dbd0e8f4fee
cvssv3.1	6.1	https://github.com/electron/electron/pull/48101
generic_textual	MODERATE	https://github.com/electron/electron/pull/48101
ssvc	Track	https://github.com/electron/electron/pull/48101
cvssv3.1	6.1	https://github.com/electron/electron/pull/48102
generic_textual	MODERATE	https://github.com/electron/electron/pull/48102
ssvc	Track	https://github.com/electron/electron/pull/48102
cvssv3.1	6.1	https://github.com/electron/electron/pull/48103
generic_textual	MODERATE	https://github.com/electron/electron/pull/48103
ssvc	Track	https://github.com/electron/electron/pull/48103
cvssv3.1	6.1	https://github.com/electron/electron/pull/48104
generic_textual	MODERATE	https://github.com/electron/electron/pull/48104
ssvc	Track	https://github.com/electron/electron/pull/48104
cvssv3.1	6.1	https://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg
cvssv3.1_qr	MODERATE	https://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg
generic_textual	MODERATE	https://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg
ssvc	Track	https://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg
cvssv3.1	6.1	https://nvd.nist.gov/vuln/detail/CVE-2025-55305
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2025-55305

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55305.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-55305
		https://github.com/electron/electron
		https://github.com/electron/electron/commit/23a02934510fcf951428e14573d9b2d2a3c4f28b
		https://github.com/electron/electron/commit/2e5a0b7220ebf955c6785cc5adb2e2b1cf77dac1
		https://github.com/electron/electron/commit/3f92511cdecc39f46b0e86cce40a0c691e301c9d
		https://github.com/electron/electron/commit/fdf29ce83870109d403f5c23ae529dbd0e8f4fee
		https://github.com/electron/electron/pull/48101
		https://github.com/electron/electron/pull/48102
		https://github.com/electron/electron/pull/48103
		https://github.com/electron/electron/pull/48104
		https://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg
		https://nvd.nist.gov/vuln/detail/CVE-2025-55305
2393398		https://bugzilla.redhat.com/show_bug.cgi?id=2393398
GHSA-vmqv-hx8q-j7mg		https://github.com/advisories/GHSA-vmqv-hx8q-j7mg

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-55305.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron/commit/23a02934510fcf951428e14573d9b2d2a3c4f28b

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-05T15:44:19Z/ Found at https://github.com/electron/electron/commit/23a02934510fcf951428e14573d9b2d2a3c4f28b

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron/commit/2e5a0b7220ebf955c6785cc5adb2e2b1cf77dac1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-05T15:44:19Z/ Found at https://github.com/electron/electron/commit/2e5a0b7220ebf955c6785cc5adb2e2b1cf77dac1

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron/commit/3f92511cdecc39f46b0e86cce40a0c691e301c9d

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-05T15:44:19Z/ Found at https://github.com/electron/electron/commit/3f92511cdecc39f46b0e86cce40a0c691e301c9d

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron/commit/fdf29ce83870109d403f5c23ae529dbd0e8f4fee

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-05T15:44:19Z/ Found at https://github.com/electron/electron/commit/fdf29ce83870109d403f5c23ae529dbd0e8f4fee

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron/pull/48101

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-05T15:44:19Z/ Found at https://github.com/electron/electron/pull/48101

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron/pull/48102

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-05T15:44:19Z/ Found at https://github.com/electron/electron/pull/48102

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron/pull/48103

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-05T15:44:19Z/ Found at https://github.com/electron/electron/pull/48103

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron/pull/48104

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-05T15:44:19Z/ Found at https://github.com/electron/electron/pull/48104

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-05T15:44:19Z/ Found at https://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2025-55305

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.00392
EPSS Score	6e-05
Published At	April 24, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:55:13.254298+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-vmqv-hx8q-j7mg/GHSA-vmqv-hx8q-j7mg.json	38.0.0