GHSA-vmqv-hx8q-j7mg
Electron has ASAR Integrity Bypass via resource modification
Details
### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted.
Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against.
### Workarounds There are no app side workarounds, you must update to a patched version of Electron.
### Fixed Versions * `38.0.0-beta.6` * `37.3.1` * `36.8.1` * `35.7.5`
### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)
Are you affected?
Enter the version of the package you're using.
Affected packages
38.0.0-alpha.1 Fixed in: 38.0.0-beta.6 npm install electron@38.0.0-beta.6 References
- https://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-55305 [ADVISORY]
- https://github.com/electron/electron/pull/48101 [WEB]
- https://github.com/electron/electron/pull/48102 [WEB]
- https://github.com/electron/electron/pull/48103 [WEB]
- https://github.com/electron/electron/pull/48104 [WEB]
- https://github.com/electron/electron/commit/23a02934510fcf951428e14573d9b2d2a3c4f28b [WEB]
- https://github.com/electron/electron/commit/2e5a0b7220ebf955c6785cc5adb2e2b1cf77dac1 [WEB]
- https://github.com/electron/electron/commit/3f92511cdecc39f46b0e86cce40a0c691e301c9d [WEB]
- https://github.com/electron/electron/commit/fdf29ce83870109d403f5c23ae529dbd0e8f4fee [WEB]
- https://github.com/electron/electron [PACKAGE]