Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 5.9 npm

Electron: HTTP Response Header Injection in custom protocol handlers and webRequest

GHSA-4p4r-m79c-wq3v · CVE-2026-34767

Published · Modified

Description

Impact

Apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.

An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.

Apps that do not reflect external input into response headers are not affected.

Workarounds

Validate or sanitize any untrusted input before including it in a response header name or value.

Fixed Versions

  • 41.0.3
  • 40.8.3
  • 39.8.3
  • 38.8.6

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes