CVE-2025-55305
Integrity Bypass vulnerability in electron
What is CVE-2025-55305 About?
This vulnerability is an integrity bypass in Electron apps with `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` fuses enabled. It allows attackers with write access to the filesystem to modify application resources, despite integrity protections. Exploitation requires local filesystem write access and specific Electron fuse configurations.
Affected Software
- electron
- >37.0.0-alpha.1, <37.3.1
- >38.0.0-alpha.1, <38.0.0-beta.6
- >36.0.0-alpha.1, <36.8.1
- <35.7.5
Technical Details
The vulnerability targets Electron applications configured with both `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` fuses. These fuses are intended to prevent tampering with application resources by ensuring that the app only loads from its ASAR archive and that the archive's integrity is validated. However, this issue can be exploited if an attacker has write access to the filesystem where the app is installed, specifically within the `resources` folder on Windows. The exploit allows the attacker to bypass the integrity validation, enabling them to modify files inside the ASAR archive or alter how the application loads resources, despite the protective fuses being active. The flaw lies in how the integrity validation mechanism handles or trusts certain aspects related to the filesystem when these fuses are enabled, allowing an attacker with local access to inject malicious code or alter application behavior.
What is the Impact of CVE-2025-55305?
Successful exploitation may allow attackers to bypass integrity protections, modify application files, and potentially execute arbitrary code within the context of the Electron application.
What is the Exploitability of CVE-2025-55305?
Exploitation of this vulnerability requires a specific application configuration: both `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` fuses must be enabled. The attacker must also have local write access to the filesystem where the Electron app is installed, particularly to the `resources` folder on Windows. No authentication is explicitly required for the exploit itself, but local access to the target system is a prerequisite. The attack is local, not remote. There are no known workarounds, necessitating an update to a patched Electron version. The risk increases if the Electron application is deployed in environments where users or other processes have write access to its installation directory.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-55305?
Available Upgrade Options
- electron
- <35.7.5 → Upgrade to 35.7.5
- electron
- >36.0.0-alpha.1, <36.8.1 → Upgrade to 36.8.1
- electron
- >37.0.0-alpha.1, <37.3.1 → Upgrade to 37.3.1
- electron
- >38.0.0-alpha.1, <38.0.0-beta.6 → Upgrade to 38.0.0-beta.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-55305
- https://github.com/electron/electron/pull/48101
- https://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg
- https://github.com/electron/electron/security/advisories/GHSA-vmqv-hx8q-j7mg
- https://github.com/electron/electron/pull/48101
- https://github.com/electron/electron
- https://github.com/electron/electron/pull/48104
- https://github.com/electron/electron/pull/48104
- https://github.com/electron/electron/pull/48102
- https://github.com/electron/electron/pull/48102
What are Similar Vulnerabilities to CVE-2025-55305?
Similar Vulnerabilities: CVE-2022-21696 , CVE-2023-38495 , CVE-2021-27905 , CVE-2020-15160 , CVE-2022-4288
