Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged
Permalink CVE-2026-34773
4.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 1 week, 1 day ago
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, on Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers. Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.

Affected products

electron
  • ==>= 39.0.0-alpha.1, < 39.8.1
  • ==>= 40.0.0-alpha.1, < 40.8.1
  • ==>= 41.0.0-alpha.1, < 41.0.0
  • ==< 38.8.6

Matching in nixpkgs

pkgs.electron_35

Cross platform desktop application shell

pkgs.electron_36

Cross platform desktop application shell

pkgs.gfn-electron

Linux Desktop client for Nvidia's GeForce NOW game streaming service

pkgs.electron-mail

ElectronMail is an Electron-based unofficial desktop client for ProtonMail