CVE-2025-55305

Name of the Vulnerable Software and Affected Versions Electron versions prior to 35.7.5 Electron versions 36.0.0-alpha.1 through 36.8.0 Electron versions 37.0.0-alpha.1 through 37.3.1 Electron versions 38.0.0-alpha.1 through 38.0.0-beta.6

Description Electron is a framework used for building cross-platform desktop applications with JavaScript, HTML, and CSS. A flaw exists where the ASAR integrity checks can be bypassed through resource modification. This issue impacts applications that have both the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. The vulnerability allows for subverting code integrity checks, potentially enabling local backdoors in applications like Signal, 1Password, and Slack. The issue exploits flaws in V8 heap snapshots, allowing unsigned JavaScript code to execute.

Recommendations Electron versions prior to 35.7.5: Update to version 35.7.5 or later. Electron versions 36.0.0-alpha.1 through 36.8.0: Update to version 36.8.1 or later. Electron versions 37.0.0-alpha.1 through 37.3.1: Update to version 37.3.1 or later. Electron versions 38.0.0-alpha.1 through 38.0.0-beta.6: Update to version 38.0.0-beta.6 or later.