Search for vulnerabilities
Vulnerability details: VCID-mhcg-99p6-rqd4
Vulnerability ID VCID-mhcg-99p6-rqd4
Aliases CVE-2023-44402
GHSA-7m48-wc93-9g85
Summary ASAR Integrity bypass via filetype confusion in electron ### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `27.0.0-alpha.7` * `26.2.1` * `25.8.1` * `24.8.3` * `22.3.24` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)
Status Published
Exploitability 0.5
Weighted Severity 6.3
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-345 Insufficient Verification of Data Authenticity
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
epss 0.00115 https://api.first.org/data/v1/epss?cve=CVE-2023-44402
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-7m48-wc93-9g85
cvssv3.1 6.1 https://github.com/electron/electron
generic_textual MODERATE https://github.com/electron/electron
cvssv3.1 6.1 https://github.com/electron/electron/pull/39788
generic_textual MODERATE https://github.com/electron/electron/pull/39788
cvssv3.1 6.1 https://github.com/electron/electron/security/advisories/GHSA-7m48-wc93-9g85
cvssv3.1_qr MODERATE https://github.com/electron/electron/security/advisories/GHSA-7m48-wc93-9g85
generic_textual MODERATE https://github.com/electron/electron/security/advisories/GHSA-7m48-wc93-9g85
cvssv3.1 6.1 https://nvd.nist.gov/vuln/detail/CVE-2023-44402
cvssv3.1 7.0 https://nvd.nist.gov/vuln/detail/CVE-2023-44402
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-44402
cvssv3.1 6.1 https://www.electronjs.org/docs/latest/tutorial/fuses
generic_textual MODERATE https://www.electronjs.org/docs/latest/tutorial/fuses
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2023-44402
https://github.com/electron/electron
https://github.com/electron/electron/pull/39788
https://github.com/electron/electron/security/advisories/GHSA-7m48-wc93-9g85
https://nvd.nist.gov/vuln/detail/CVE-2023-44402
https://www.electronjs.org/docs/latest/tutorial/fuses
cpe:2.3:a:electronjs:electron:27.0.0:alpha1:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:27.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:27.0.0:alpha2:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:27.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:27.0.0:alpha3:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:27.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:27.0.0:alpha4:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:27.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:27.0.0:alpha5:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:27.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:27.0.0:alpha6:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:27.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
GHSA-7m48-wc93-9g85 https://github.com/advisories/GHSA-7m48-wc93-9g85
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron/pull/39788
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://github.com/electron/electron/security/advisories/GHSA-7m48-wc93-9g85
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-44402
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-44402
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L Found at https://www.electronjs.org/docs/latest/tutorial/fuses
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.09703
EPSS Score 0.00037
Published At Aug. 1, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:42:26.299129+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-7m48-wc93-9g85/GHSA-7m48-wc93-9g85.json 37.0.0