Electron 39.0.0-alpha.1 to 39.7.9, 40.0.0-alpha.1 to 40.6.9, 41.0.0-alpha.1 to 41.0.0-beta.7
Summary
This vulnerability allows a context isolation bypass in the Electron framework for desktop applications. Only applications that pass VideoFrame objects across the contextBridge are affected. Attackers that can run JavaScript via XSS can exploit this to gain access to isolated world and Node.js APIs.
Remediation
Update Electron to the patched versions: 39.8.0, 40.7.0, or 41.0.0-beta.8 immediately. Review your application code to ensure no unnecessary objects are exposed across the contextBridge. Rebuild and redeploy any affected applications with the updated Electron version.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.