Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, a service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.
Published: 2026-04-03
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Spoofed IPC replies can compromise security-sensitive decisions
Action: Patch
AI Analysis

Impact

A service worker in an Electron application can fabricate reply messages on the internal IPC channel used by webContents.executeJavaScript(). This allows attacker‑controlled data to resolve the promise in the main process, potentially altering security‑sensitive decisions that rely on that data. The weakness involves improper authentication control (CWE‑290) and delivery of false trustworthy data (CWE‑345).

Affected Systems

The issue affects Electron releases prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0. Applications that register service workers and subsequently call webContents.executeJavaScript() or webFrameMain.executeJavaScript() and use the result for security checks are impacted. Upstream Electron versions are identified as electron:electron in the CNA feed.

Risk and Exploitability

The CVSS score is 5.9, reflecting moderate severity. EPSS score is unavailable and the flaw is not listed in the CISA KEV catalog. Exploitation requires that the attacker control a service worker within the application’s context and that the application processes the executeJavaScript result in a security‑sensitive manner. Impact is therefore contingent on application logic, rather than a universal privilege escalation.

Generated by OpenCVE AI on April 4, 2026 at 02:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Electron to version 38.8.6, 39.8.1, 40.8.1, or 41.0.0, or a newer release.

Generated by OpenCVE AI on April 4, 2026 at 02:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xj5x-m3f3-5x3h Electron: Service worker can spoof executeJavaScript IPC replies
History

Mon, 20 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Electronjs
Electronjs electron
CPEs cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta8:*:*:*:node.js:*:*
Vendors & Products Electronjs
Electronjs electron

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Vendors & Products Electron
Electron electron
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, a service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.
Title Electron: Service worker can spoof executeJavaScript IPC replies
Weaknesses CWE-290
CWE-345
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Electron Electron
Electronjs Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T15:50:49.205Z

Reserved: 2026-03-30T19:54:55.555Z

Link: CVE-2026-34778

cve-icon Vulnrichment

Updated: 2026-04-06T15:50:44.625Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T00:16:19.060

Modified: 2026-04-20T14:22:54.050

Link: CVE-2026-34778

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T23:59:07Z

Links: CVE-2026-34778 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:21:09Z

Weaknesses