Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows
GHSA-mwmh-mq4g-g6gr · CVE-2026-34773
Published · Modified
Description
Impact
On Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers.
Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.
Workarounds
Validate the protocol name matches /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().
Fixed Versions
41.0.040.8.139.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Ready to move
Start Securing
Free, no credit card | First findings in minutes