Improper Control of Generation of Code ('Code Injection') in electron

CVE-2025-55305

electron
org.webjars.npm:electron

Medium

6.1/10

Summary

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML, and CSS. In versions prior to 35.7.5, 36.0.x prior to 36.8.1, 37.0.x prior to 37.3.1, and 38.0.x prior to 38.0.0-beta6 ASAR Integrity Bypass via resource modification. This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: LOW
Confidentiality Impact: LOW
Availability Impact: LOW

CWE-94 - Code Injection

Code injection is a type of vulnerability that allows an attacker to execute arbitrary code. This vulnerability fully compromises the machine and can cause a wide variety of security issues, such as unauthorized access to sensitive information, manipulation of data, denial of service attacks etc. Code injection is different from command injection in the fact that it is limited by the functionality of the injected language (e.g. PHP), as opposed to command injection, which leverages existing code to execute commands, usually within the context of a shell.

References

Advisory Timeline

Published Sep 04, 2025

Improper Control of Generation of Code ('Code Injection') in electron

CVE-2025-55305

Summary

CWE-94 - Code Injection

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS