CVE-2025-55305
MEDIUM6.1EPSS 0.01%Electron has ASAR Integrity Bypass via resource modification
Description
### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `38.0.0-beta.6` * `37.3.1` * `36.8.1` * `35.7.5` ### For more information If you have any questions or comments about this advisory, email us at [[email protected]](mailto:[email protected])
Affected packages (1)
- npm/electronfrom 0, < 35.7.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L |
References (11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-55305
- PATCHhttps://github.com/electron/electron
- WEBhttps://github.com/electron/electron/commit/23a02934510fcf951428e14573d9b2d2a3c4f28b
- WEBhttps://github.com/electron/electron/commit/2e5a0b7220ebf955c6785cc5adb2e2b1cf77dac1
- WEBhttps://github.com/electron/electron/commit/3f92511cdecc39f46b0e86cce40a0c691e301c9d
- WEBhttps://github.com/electron/electron/commit/fdf29ce83870109d403f5c23ae529dbd0e8f4fee
- WEBhttps://github.com/electron/electron/pull/48101
- WEBhttps://github.com/electron/electron/pull/48102
- WEBhttps://github.com/electron/electron/pull/48103
- WEBhttps://github.com/electron/electron/pull/48104
- WEBhttps://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg