CVE-2025-55305

Impact

This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted.

Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the resources folder in your app installation on Windows which these fuses are supposed to protect against.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

38.0.0-beta.6
37.3.1
36.8.1
35.7.5

For more information

If you have any questions or comments about this advisory, email us at security@electronjs.org

Published: Sep 3, 2025
Updated: Sep 4, 2025
CVE: CVE-2025-55305
GHSA: GHSA-vmqv-hx8q-j7mg
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:L

CWEs:

Affected Software
References

Software	From	Fixed in
electron	-	35.7.5
electron	36.0.0-alpha.1	36.8.1
electron	37.0.0-alpha.1	37.3.1
electron	38.0.0-alpha.1	38.0.0-beta.6

Vulnerability Database

CVE-2025-55305

Impact

Workarounds

Fixed Versions

For more information