CVE-2025-55305

Description

### Impact This only impacts apps that have the `embeddedAsarIntegrityValidation` and `onlyLoadAppFromAsar` [fuses](https://www.electronjs.org/docs/latest/tutorial/fuses) enabled. Apps without these fuses enabled are not impacted. Specifically this issue can only be exploited if your app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the `resources` folder in your app installation on Windows which these fuses are supposed to protect against. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `38.0.0-beta.6` * `37.3.1` * `36.8.1` * `35.7.5` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)

How to fix CVE-2025-55305

To remediate CVE-2025-55305, upgrade the affected package to a fixed version below.

• —upgrade to 35.7.5 or later

Is CVE-2025-55305 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 35.7.5

CVSS scores

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-55305
• PATCHgithub.com/electron/electron
• WEBgithub.com/electron/electron/commit/23a02934510fcf951428e14573d9b2d2a3c4f28b
• WEBgithub.com/electron/electron/commit/2e5a0b7220ebf955c6785cc5adb2e2b1cf77dac1