Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been patched in versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3.
Published: 2026-04-03
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: HTTP response header injection potentially affecting cookies, content‑security policy, and cross‑origin access controls
Action: Immediate Patch
AI Analysis

Impact

Electron, a framework for building desktop applications, is impacted by a flaw that allows an attacker to inject arbitrary HTTP response headers when the application registers custom protocol handlers or modifies response headers via webRequest.onHeadersReceived. If the application reflects attacker‑controlled input into a header name or value, the attacker may add new headers that alter cookie handling, violate content‑security policies, or modify cross‑origin access controls, thereby compromising the confidentiality or integrity of user data.

Affected Systems

The vulnerability affects Electron versions prior to 38.8.6, 39.8.3, 40.8.3, and 41.0.3. Applications built with these older Electron releases that use protocol.handle(), protocol.registerSchemesAsPrivileged(), or webRequest.onHeadersReceived and allow reflected user input into response headers are susceptible. Updated releases in the mentioned version series contain the fix.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity, and the EPSS score of less than 1% suggests low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack surface likely requires an attacker who can influence header values, such as through malicious protocol data or local code execution. If such influence is possible, the injected headers can subvert security controls within the application territory.

Generated by OpenCVE AI on April 9, 2026 at 17:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Electron to version 38.8.6 or later, 39.8.3 or later, 40.8.3 or later, or 41.0.3 or later
  • Confirm that custom protocol handlers do not copy untrusted input into HTTP header names or values
  • Review webRequest.onHeadersReceived usage and ensure any header modifications are derived from validated data
  • If a patch is unavailable, sanitize or validate all header names and values before they are sent in a response

Generated by OpenCVE AI on April 9, 2026 at 17:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4p4r-m79c-wq3v Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
History

Thu, 09 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Electronjs
Electronjs electron
CPEs cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
Vendors & Products Electronjs
Electronjs electron

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Weaknesses CWE-140
Vendors & Products Electron
Electron electron
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been patched in versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3.
Title Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
Weaknesses CWE-113
CWE-74
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N'}

Subscriptions

Electron Electron
Electronjs Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T19:07:57.198Z

Reserved: 2026-03-30T19:54:55.555Z

Link: CVE-2026-34767

cve-icon Vulnrichment

Updated: 2026-04-06T19:07:52.702Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T00:16:17.337

Modified: 2026-04-09T16:16:48.503

Link: CVE-2026-34767

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T23:43:09Z

Links: CVE-2026-34767 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:28Z

Weaknesses