Electron applications that use the WebCodecs API can expose VideoFrame objects to the main world via contextBridge.exposeInMainWorld(). This vulnerability creates a context isolation bypass, allowing an attacker who has already injected JavaScript into the renderer process to access the isolated preload world and any Node.js APIs available there. The weakness is captured by CWE‑1188 (Insecure Deserialization), CWE‑501 (Uncontrolled Input), and CWE‑668 (Privilege‑Related Configuration Error), indicating that the bypass stems from insecure handling of data, improper input validation, and inadequate restriction of privileged operations.

Electron versions 39.0.0-alpha.1 through 39.7.x, 40.0.0-alpha.1 through 40.6.x, and 41.0.0-alpha.1 through 41.0.0-beta.7 are impacted when a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Versions 39.8.0, 40.7.0, and 41.0.0-beta.8 and later are patched and not affected. Applications that do not bridge VideoFrame objects are not vulnerable.

The CVSS score of 8.4 signals a high‑severity vulnerability. Exploitation requires that the attacker first execute JavaScript in the renderer, typically through an XSS flaw, and then leverage the bridged VideoFrame to traverse the isolation boundary. The EPSS score is below 1%, suggesting a low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. Once an attack vector is available, the bypass effectively elevates an XSS incident into full access to Node.js APIs, enabling data theft, modification, or arbitrary code execution within the application.