ASAR Integrity bypass via filetype confusion in electron
Description
Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to macOS as these fuses are only currently supported on macOS. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against. There are no app side workarounds, you must update to a patched version of Electron.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Electron's asar integrity validation fuses on macOS can be bypassed if an attacker can write to the app bundle, enabling arbitrary code execution.
Vulnerability
Description
CVE-2023-44402 affects Electron applications that have both the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. These fuses are designed to ensure that the application only loads code from a valid, signed ASAR archive, preventing tampering with the app's contents on macOS. However, a flaw in the validation logic allows an attacker to bypass these protections if they have write access to the filesystem containing the .app bundle [1][2].
Exploitation
The exploit requires the attacker to be able to modify files inside the .app bundle, for instance, by having write permissions to the directory where the app is installed or by tricking the user into running the app from a location the attacker controls. When the app launches from a compromised filesystem, the fuses fail to properly enforce that the loaded archive is a genuine ASAR file, allowing a malicious replacement to be used instead [2].
Impact
Successful exploitation allows an attacker to execute arbitrary code within the context of the Electron application. Since Electron apps often have access to system resources, this could lead to data theft, privilege escalation, or further compromise of the user's system.
Mitigation
Users must update their Electron framework to a patched version that addresses this validation bypass. The fix was implemented in pull request #39788 and backported to multiple stable branches [4]. There are no workarounds available for affected applications; updating is the only remedy [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
electronnpm | < 22.3.24 | 22.3.24 |
electronnpm | >= 24.0.0-alpha.1, < 24.8.3 | 24.8.3 |
electronnpm | >= 25.0.0-alpha.1, < 25.8.1 | 25.8.1 |
electronnpm | >= 26.0.0-alpha.1, < 26.2.1 | 26.2.1 |
electronnpm | >= 27.0.0-alpha.1, < 27.0.0-alpha.7 | 27.0.0-alpha.7 |
electronnpm | >= 23.0.0-alpha.1, <= 23.3.13 | — |
Affected products
2- Range: < 22.3.24
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-7m48-wc93-9g85ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-44402ghsaADVISORY
- github.com/electron/electron/pull/39788ghsax_refsource_MISCWEB
- github.com/electron/electron/security/advisories/GHSA-7m48-wc93-9g85ghsax_refsource_CONFIRMWEB
- www.electronjs.org/docs/latest/tutorial/fusesghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.