GHSA-4p4r-m79c-wq3v
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
상세
### Impact Apps that register custom protocol handlers via `protocol.handle()` / `protocol.registerSchemesAsPrivileged()` or modify response headers via `webRequest.onHeadersReceived` may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.
An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.
Apps that do not reflect external input into response headers are not affected.
### Workarounds Validate or sanitize any untrusted input before including it in a response header name or value.
### Fixed Versions * `41.0.3` * `40.8.3` * `39.8.3` * `38.8.6`
### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.