CVE-2024-46992

July 1, 2025, 2:15 a.m.

7.8
High

Description

Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 30.0.0-alpha.1 to before 30.0.5 and 31.0.0-alpha.1 to before 31.0.0-beta.1, Electron is vulnerable to an ASAR Integrity bypass. This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to Windows, apps using these fuses on macOS are not impacted. Specifically this issue can only be exploited if the app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against. This issue has been patched in versions 30.0.5 and 31.0.0-beta.1. There are no workarounds for this issue.

Product(s) Impacted

Vendor Product Versions
Electron
  • Electron
  • 30.0.0-alpha.1-30.0.4, 31.0.0-alpha.1-31.0.0-beta.0, 30.0.5, 31.0.0-beta.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-354
Improper Validation of Integrity Check Value
The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a electron electron 30.0.0-alpha.1-30.0.4 / / / / / / /
a electron electron 31.0.0-alpha.1-31.0.0-beta.0 / / / / / / /
a electron electron 30.0.5 / / / / / / /
a electron electron 31.0.0-beta.1 / / / / / / /

References

https://github.com/electron/electron/security/advisories/GHSA-xw5q-g62x-2qjc
https://www.electronjs.org/docs/latest/tutorial/fuses

Tags

security-advisories@github.com
CWE-354
2025-07-01
CVE-2024-46992

CVSS Score

7.8 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: July 1, 2025, 2:15 a.m.
Last Modified: July 1, 2025, 2:15 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.