VulnerableCode Package Details - pkg:npm/electron@27.0.0-alpha.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-2zn4-vrk9-1qhv Aliases: CVE-2024-46993 GHSA-6r2x-8pq8-9489	Electron vulnerable to Heap Buffer Overflow in NativeImage ### Impact The `nativeImage.createFromPath()` and `nativeImage.createFromBuffer()` functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. ### Workaround There are no app-side workarounds for this issue. You must update your Electron version to be protected. ### Patches - `v28.3.2` - `v29.3.3` - `v30.0.3` ### For More Information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).	28.3.2 Affected by 0 other vulnerabilities. 29.3.3 Affected by 0 other vulnerabilities. 30.0.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-mhcg-99p6-rqd4 Aliases: CVE-2023-44402 GHSA-7m48-wc93-9g85	ASAR Integrity bypass via filetype confusion in electron ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `27.0.0-alpha.7` * `26.2.1` * `25.8.1` * `24.8.3` * `22.3.24` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)	27.0.0-alpha.7 Affected by 0 other vulnerabilities. 27.0.0-beta.1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-qq4y-61vn-pfdq Aliases: CVE-2023-5217 GHSA-qqvq-6xgj-jw8g	Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild.	27.0.0-beta.8 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-2zn4-vrk9-1qhv
Aliases:
CVE-2024-46993
GHSA-6r2x-8pq8-9489

Electron vulnerable to Heap Buffer Overflow in NativeImage ### Impact The `nativeImage.createFromPath()` and `nativeImage.createFromBuffer()` functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. ### Workaround There are no app-side workarounds for this issue. You must update your Electron version to be protected. ### Patches - `v28.3.2` - `v29.3.3` - `v30.0.3` ### For More Information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org).

28.3.2
Affected by 0 other vulnerabilities.

29.3.3
Affected by 0 other vulnerabilities.

30.0.3
Affected by 1 other vulnerability.

VCID-mhcg-99p6-rqd4
Aliases:
CVE-2023-44402
GHSA-7m48-wc93-9g85

ASAR Integrity bypass via filetype confusion in electron ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `27.0.0-alpha.7` * `26.2.1` * `25.8.1` * `24.8.3` * `22.3.24` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)

27.0.0-alpha.7
Affected by 0 other vulnerabilities.

27.0.0-beta.1
Affected by 3 other vulnerabilities.

VCID-qq4y-61vn-pfdq
Aliases:
CVE-2023-5217
GHSA-qqvq-6xgj-jw8g

Specific handling of an attacker-controlled VP8 media stream could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild.

27.0.0-beta.8
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-pe8x-79nr-3qg4	Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild. Note: This advisory was previously also tracked as CVE-2023-5129.	CVE-2023-4863 GHSA-j7hp-h8jx-5ppr

Vulnerability

Summary

Aliases

VCID-pe8x-79nr-3qg4

Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild. *Note: This advisory was previously also tracked as CVE-2023-5129.*

CVE-2023-4863
GHSA-j7hp-h8jx-5ppr

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T13:42:49.781591+00:00	GHSA Importer	Affected by	VCID-mhcg-99p6-rqd4	https://github.com/advisories/GHSA-7m48-wc93-9g85	37.0.0
2025-08-01T13:42:15.216900+00:00	GHSA Importer	Affected by	VCID-qq4y-61vn-pfdq	https://github.com/advisories/GHSA-qqvq-6xgj-jw8g	37.0.0
2025-08-01T12:24:12.279901+00:00	GitLab Importer	Affected by	VCID-2zn4-vrk9-1qhv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2024-46993.yml	37.0.0
2025-08-01T11:19:56.591318+00:00	GitLab Importer	Fixing	VCID-pe8x-79nr-3qg4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-4863.yml	37.0.0
2025-08-01T09:29:32.149803+00:00	GHSA Importer	Fixing	VCID-pe8x-79nr-3qg4	https://github.com/advisories/GHSA-j7hp-h8jx-5ppr	37.0.0
2025-07-31T09:30:41.663759+00:00	GitLab Importer	Affected by	VCID-mhcg-99p6-rqd4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-44402.yml	37.0.0
2025-07-31T09:30:07.986974+00:00	GitLab Importer	Affected by	VCID-qq4y-61vn-pfdq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/electron/CVE-2023-5217.yml	37.0.0