VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-jkqp-xpjx-sfhz

Essentials
Severities (34)
References (6)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-jkqp-xpjx-sfhz
Aliases	CVE-2024-46992 GHSA-xw5q-g62x-2qjc
Summary	electron ASAR Integrity bypass by just modifying the content electron's ASAR Integrity can be bypass by modifying the content. ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to Windows, apps using these fuses on macOS are unimpacted. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `30.0.5` * `31.0.0-beta.1` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-354	Improper Validation of Integrity Check Value
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	0.0001	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	7e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
epss	8e-05	https://api.first.org/data/v1/epss?cve=CVE-2024-46992
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-xw5q-g62x-2qjc
cvssv3.1	7.8	https://github.com/electron/electron
generic_textual	HIGH	https://github.com/electron/electron
cvssv3.1	7.8	https://github.com/electron/electron/security/advisories/GHSA-xw5q-g62x-2qjc
cvssv3.1_qr	HIGH	https://github.com/electron/electron/security/advisories/GHSA-xw5q-g62x-2qjc
generic_textual	HIGH	https://github.com/electron/electron/security/advisories/GHSA-xw5q-g62x-2qjc
ssvc	Track	https://github.com/electron/electron/security/advisories/GHSA-xw5q-g62x-2qjc
cvssv3.1	7.8	https://nvd.nist.gov/vuln/detail/CVE-2024-46992
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2024-46992
cvssv3.1	7.8	https://www.electronjs.org/docs/latest/tutorial/fuses
generic_textual	HIGH	https://www.electronjs.org/docs/latest/tutorial/fuses
ssvc	Track	https://www.electronjs.org/docs/latest/tutorial/fuses

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2024-46992
		https://github.com/electron/electron
		https://github.com/electron/electron/security/advisories/GHSA-xw5q-g62x-2qjc
		https://nvd.nist.gov/vuln/detail/CVE-2024-46992
		https://www.electronjs.org/docs/latest/tutorial/fuses
GHSA-xw5q-g62x-2qjc		https://github.com/advisories/GHSA-xw5q-g62x-2qjc

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/security/advisories/GHSA-xw5q-g62x-2qjc

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-01T14:32:53Z/ Found at https://github.com/electron/electron/security/advisories/GHSA-xw5q-g62x-2qjc

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-46992

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.electronjs.org/docs/latest/tutorial/fuses

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-07-01T14:32:53Z/ Found at https://www.electronjs.org/docs/latest/tutorial/fuses

Exploit Prediction Scoring System (EPSS)

Percentile	0.00749
EPSS Score	0.0001
Published At	Sept. 9, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-07-31T08:39:06.358172+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-xw5q-g62x-2qjc/GHSA-xw5q-g62x-2qjc.json	37.0.0