Common Weakness Enumeration

CWE-653

Allowed

Improper Isolation or Compartmentalization

Abstraction: Class · Status: Draft

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

101 vulnerabilities reference this CWE, most recent first.

GHSA-XWR5-M59H-VWQR

Vulnerability from github – Published: 2026-04-03 02:43 – Updated: 2026-04-06 23:11
VLAI
Summary
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
Details

Impact

The nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration.

Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected.

Workarounds

Avoid enabling nodeIntegrationInWorker in apps that also open child windows or embed content with differing webPreferences.

Fixed Versions

  • 41.0.0
  • 40.8.4
  • 39.8.4
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "38.8.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "39.0.0-alpha.1"
            },
            {
              "fixed": "39.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "40.0.0-alpha.1"
            },
            {
              "fixed": "40.8.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "electron"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "41.0.0-alpha.1"
            },
            {
              "fixed": "41.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34775"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-653"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T02:43:05Z",
    "nvd_published_at": "2026-04-04T00:16:18Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nThe `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration.\n\nApps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected.\n\n### Workarounds\nAvoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences.\n\n### Fixed Versions\n* `41.0.0`\n* `40.8.4`\n* `39.8.4`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)",
  "id": "GHSA-xwr5-m59h-vwqr",
  "modified": "2026-04-06T23:11:00Z",
  "published": "2026-04-03T02:43:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/electron/electron/security/advisories/GHSA-xwr5-m59h-vwqr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34775"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/electron/electron"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes"
}

Mitigation
Architecture and Design

Break up privileges between different modules, objects, or entities. Minimize the interfaces between modules and require strong access control between them.

No CAPEC attack patterns related to this CWE.