Dariushoule

**Name of the Vulnerable Software and Affected Versions** Electron versions prior to 35.7.5 Electron versions 36.0.0-alpha.1 through 36.8.0 Electron versions 37.0.0-alpha.1 through 37.3.1 Electron versions 38.0.0-alpha.1 through 38.0.0-beta.6 **Description** Electron is a framework used for building cross-platform desktop applications with JavaScript, HTML, and CSS. A flaw exists where the ASAR integrity checks can be bypassed through resource modification. This issue impacts applications that have both the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` fuses enabled. The vulnerability allows for subverting code integrity checks, potentially enabling local backdoors in applications like Signal, 1Password, and Slack. The issue exploits flaws in V8 heap snapshots, allowing unsigned JavaScript code to execute. **Recommendations** Electron versions prior to 35.7.5: Update to version 35.7.5 or later. Electron versions 36.0.0-alpha.1 through 36.8.0: Update to version 36.8.1 or later. Electron versions 37.0.0-alpha.1 through 37.3.1: Update to version 37.3.1 or later. Electron versions 38.0.0-alpha.1 through 38.0.0-beta.6: Update to version 38.0.0-beta.6 or later.

**Name of the Vulnerable Software and Affected Versions** Vite versions prior to 2.9.17 Vite versions prior to 3.2.8 Vite versions prior to 4.5.2 Vite versions prior to 5.0.12 **Description** The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames, notably affecting servers hosted on Windows. This bypass is possible because `picomatch` defaults to case-sensitive glob matching, but the file server does not discriminate. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. **Recommendations** For versions prior to 2.9.17, upgrade to version 2.9.17 or later. For versions prior to 3.2.8, upgrade to version 3.2.8 or later. For versions prior to 4.5.2, upgrade to version 4.5.2 or later. For versions prior to 5.0.12, upgrade to version 5.0.12 or later. As a temporary workaround, consider restricting access to dev servers until a patch is available.