Launch Week Day 1: Announcing Security Design Review
Start for Free
MEDIUM 5.9 npm

Electron: Service worker can spoof executeJavaScript IPC replies

GHSA-xj5x-m3f3-5x3h · CVE-2026-34778

Published · Modified

Description

Impact

A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data.

Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions.

Workarounds

Do not trust the return value of webContents.executeJavaScript() for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.

Fixed Versions

  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes