21 matches found
CVE-2026-54673
A flaw was found in electron-updater, a component used for automatic updates in Electron applications. This vulnerability allows a remote attacker to obtain sensitive user credentials. When an Electron application performs an HTTP redirect, the electron-updater's redirect handler fails to strip...
CVE-2026-54672
A flaw was found in electron-updater, a component used for automatic updates in Electron applications. This vulnerability arises because AppImage targets, built by app-builder-lib, incorrectly add the current working directory to the dynamic linker search path when setting the LDLIBRARYPATH...
CVE-2026-54673
electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler HttpExecutor.prepareRedirectUrlOptions only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers —...
CVE-2026-54672
electron-updater allows for automatic updates for Electron apps. Prior to 26.15.0, AppImage targets built by app-builder-lib could use an empty path component when setting the LDLIBRARYPATH environment variable at runtime. This causes the current working directory to be added to the dynamic linke...
CVE-2026-54673
The CVE affects electron-updater (builder-util-runtime component) prior to version 9.7.0. The root cause is that HttpExecutor.prepareRedirectUrlOptions only stripped a credential header named exactly the lowercase string “authorization.” Other credential-bearing headers, notably PRIVATE-TOKEN and...
CVE-2026-54673 electron-updater: Cross-origin redirect leaks `PRIVATE-TOKEN` and mixed-case `Authorization` credentials in `builder-util-runtime`
electron-updater allows for automatic updates for Electron apps. Prior to 9.7.0, the HTTP redirect handler HttpExecutor.prepareRedirectUrlOptions only stripped a credential header whose key string matched exactly lowercase "authorization", exposing credentials. Other credential-bearing headers —...
PT-2026-54018
Name of the Vulnerable Software and Affected Versions electron-updater versions prior to 26.15.0 Description AppImage targets built by app-builder-lib can use an empty path component when setting the LD LIBRARY PATH environment variable at runtime. This behavior causes the current working directo...
CVE-2024-39698
electron-updater allows for automatic updates for Electron apps. The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by cmd.exe expands any...
EUVD-2024-2310
Malicious code in bioql PyPI...
Improper Verification Of Cryptographic Signature
electron-updater is vulnerable to Improper Verification of Cryptographic Signature. The vulnerability is caused due to improper handling and comparison of file paths, allowing an attacker to bypass signature verification by exploiting environment variable expansion and tricking the application in...
CVE-2024-39698
electron-updater allows for automatic updates for Electron apps. The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by cmd.exe expands any...
CVE-2024-39698 Code Signing Bypass on Windows in electron-updater < 6.3.0-alpha.6
electron-updater allows for automatic updates for Electron apps. The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by cmd.exe expands any...
CVE-2024-39698 Code Signing Bypass on Windows in electron-updater < 6.3.0-alpha.6
electron-updater allows for automatic updates for Electron apps. The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by cmd.exe expands any...
CVE-2024-39698
The CVE-2024-39698 entry concerns a Windows code-signing bypass in electron-updater. A flaw in the verification routine in packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts arises because the surrounding shell (cmd.exe) expands environment variables in the command line, enab...
CVE-2024-39698 Code Signing Bypass on Windows in electron-updater < 6.3.0-alpha.6
electron-updater allows for automatic updates for Electron apps. The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. Because of the surrounding shell, a first pass by cmd.exe expands any...
electron-updater Code Signing Bypass on Windows
Observations The file packages/electron-updater/src/windowsExecutableCodeSignatureVerifier.ts implements the signature validation routine for Electron applications on Windows. It executes the following command in a new shell process.env.ComSpec on Windows, usually C:\Windows\System32\cmd.exe:...
PT-2024-28636 · Unknown · Electron-Updater
Name of the Vulnerable Software and Affected Versions: electron-updater versions prior to 6.3.0-alpha.6 Description: The issue concerns the signature validation routine for Electron applications on Windows, implemented in the file...
@philipplgh/electron-app-manager (>=0.12.0 <=0.56.0), electron-app-manager (>=0.56.0 <=0.57.1) +4 more potentially affected by unknown CVE via electron-updater (>=4.0.0 <=4.1.2)
electron-updater NPM version =4.0.0, =0.12.0, =0.56.0, =0.0.2, =4.0.3, =1.0.0, =1.3.1 Source cves: unknown CVE Source advisory: SNYK:JS-ELECTRONUPDATER-567704...
Signature Validation Bypass
Overview electron-updater is a module allowing applications to implement auto-update functionality. Affected versions of this package are vulnerable to Signature Validation Bypass. The signature verification check is based on a string comparison between the installed binary’s publisherName and th...
@philipplgh/electron-app-manager (>=0.12.0 <=0.56.0), electron-app-manager (>=0.56.0 <=0.57.1) +4 more potentially affected by unknown CVE via electron-updater (>=4.0.0 <=4.1.2)
electron-updater NPM version =4.0.0, =0.12.0, =0.56.0, =0.0.2, =4.0.3, =1.0.0, =1.3.1 Source cves: unknown CVE Source advisory: SNYK:JS-ELECTRONUPDATER-561421...