Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.9
Electron Apps: Malicious Header Injection Through Custom Protocol Handlers
GHSA-4p4r-m79c-wq3v
CVE-2026-34767
Summary
Some Electron apps that handle custom protocols or modify web request headers may be vulnerable to malicious header injection. This can allow an attacker to manipulate cookies, content security policies, or cross-origin access controls. To protect your app, validate or sanitize any untrusted input before including it in a response header.
What to do
- Update electron to version 38.8.6.
- Update electron to version 39.8.3.
- Update electron to version 40.8.3.
- Update electron to version 41.0.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | electron | <= 38.8.6 | 38.8.6 |
| – | electron | > 39.0.0-alpha.1 , <= 39.8.3 | 39.8.3 |
| – | electron | > 40.0.0-alpha.1 , <= 40.8.3 | 40.8.3 |
| – | electron | > 41.0.0-alpha.1 , <= 41.0.3 | 41.0.3 |
Original title
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
Original description
### Impact
Apps that register custom protocol handlers via `protocol.handle()` / `protocol.registerSchemesAsPrivileged()` or modify response headers via `webRequest.onHeadersReceived` may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.
An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.
Apps that do not reflect external input into response headers are not affected.
### Workarounds
Validate or sanitize any untrusted input before including it in a response header name or value.
### Fixed Versions
* `41.0.3`
* `40.8.3`
* `39.8.3`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, send an email to [[email protected]](mailto:[email protected])
Apps that register custom protocol handlers via `protocol.handle()` / `protocol.registerSchemesAsPrivileged()` or modify response headers via `webRequest.onHeadersReceived` may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.
An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.
Apps that do not reflect external input into response headers are not affected.
### Workarounds
Validate or sanitize any untrusted input before including it in a response header name or value.
### Fixed Versions
* `41.0.3`
* `40.8.3`
* `39.8.3`
* `38.8.6`
### For more information
If there are any questions or comments about this advisory, send an email to [[email protected]](mailto:[email protected])
ghsa CVSS3.1
5.9
Vulnerability type
CWE-74
Injection
CWE-113
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026