GHSA-mwmh-mq4g-g6gr

Source

https://github.com/advisories/GHSA-mwmh-mq4g-g6gr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mwmh-mq4g-g6gr/GHSA-mwmh-mq4g-g6gr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mwmh-mq4g-g6gr

Aliases

CVE-2026-34773

Published

2026-04-03T02:41:52Z

Modified

2026-04-06T23:18:42.129720Z

Severity

4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows

Details

Impact

On Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers.

Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.

Workarounds

Validate the protocol name matches /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().

Fixed Versions

41.0.0
40.8.1
39.8.1
38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Database specific

{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-20",
        "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T02:41:52Z",
    "nvd_published_at": "2026-04-04T00:16:18Z"
}

References

Affected packages

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

38.8.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mwmh-mq4g-g6gr/GHSA-mwmh-mq4g-g6gr.json"

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

39.0.0-alpha.1

Fixed

39.8.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mwmh-mq4g-g6gr/GHSA-mwmh-mq4g-g6gr.json"

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

40.0.0-alpha.1

Fixed

40.8.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mwmh-mq4g-g6gr/GHSA-mwmh-mq4g-g6gr.json"

npm / electron

Package

Name: electron; View open source insights on deps.dev
Purl: pkg:npm/electron

Affected ranges

Type: SEMVER
Events: Introduced

41.0.0-alpha.1

Fixed

41.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mwmh-mq4g-g6gr/GHSA-mwmh-mq4g-g6gr.json"