CVE-2026-34767
HTTP Response Header Injection in Electron Protocol Handlers
Publication date: 2026-04-04
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| electronjs | electron | to 38.8.6 (exc) |
| electronjs | electron | From 39.0.0 (inc) to 39.8.3 (exc) |
| electronjs | electron | From 40.0.0 (inc) to 40.8.3 (exc) |
| electronjs | electron | From 41.0.0 (inc) to 41.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-113 | The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34767 is a moderate severity vulnerability in the Electron framework affecting versions prior to 38.8.6, 39.8.3, 40.8.3, and 41.0.3. It arises from HTTP response header injection when applications register custom protocol handlers or modify response headers and reflect attacker-controlled input into HTTP response header names or values without proper validation.
This improper handling allows an attacker to inject additional HTTP response headers, potentially manipulating cookies, Content Security Policy (CSP), or cross-origin resource sharing (CORS) controls. The root cause is the failure to neutralize special characters like carriage return and line feed in headers, enabling HTTP response splitting attacks.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to inject malicious HTTP response headers, which can affect the integrity of cookies, content security policies, and cross-origin access controls.
This can lead to security issues such as unauthorized access, bypassing security policies, or manipulation of user sessions. However, exploitation requires user interaction and specific conditions, and the confidentiality impact is low.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves HTTP response header injection when attacker-controlled input is reflected into HTTP response header names or values in Electron applications using custom protocol handlers or the webRequest API.
To detect this vulnerability on your system or network, you should monitor HTTP responses from Electron-based applications for unexpected or suspicious additional headers that could indicate header injection.
Since the issue arises from reflection of untrusted input into response headers, you can test by sending crafted requests with CRLF (Carriage Return and Line Feed) characters or other special sequences in inputs that might be reflected in headers, then inspect the HTTP responses for injected headers.
Commands or tools that can help include using curl or similar HTTP clients to send requests and observe headers, for example:
- curl -v --header "X-Test: test%0d%0aInjected-Header: injected" http://target-application
- Use a proxy tool like Burp Suite or OWASP ZAP to intercept and modify requests to inject CRLF sequences and observe if additional headers appear in responses.
- Use network traffic analyzers like Wireshark to capture and analyze HTTP responses for unexpected headers.
Note that detection requires knowledge of which inputs might be reflected into headers, so testing should focus on inputs handled by custom protocol handlers or webRequest.onHeadersReceived modifications.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade Electron to a patched version: 38.8.6, 39.8.3, 40.8.3, or 41.0.3 or later.
- Validate and sanitize all untrusted input before including it in HTTP response header names or values to prevent injection of CRLF or other special characters.
- Review application code that registers custom protocol handlers via protocol.handle() or protocol.registerSchemesAsPrivileged(), and code that modifies response headers via webRequest.onHeadersReceived, ensuring no external input is reflected without proper sanitization.
- If upgrading immediately is not possible, consider disabling or restricting features that allow modification of response headers or custom protocol handlers until a patch can be applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to inject additional HTTP response headers, potentially manipulating cookies, Content Security Policy (CSP), or cross-origin resource sharing (CORS) controls. Such manipulation can lead to unauthorized access or data integrity issues.
Because the vulnerability can affect the integrity of HTTP headers and potentially expose or manipulate sensitive data, it may impact compliance with standards and regulations that require protection of personal data and secure handling of information, such as GDPR and HIPAA.
Mitigating this vulnerability by validating or sanitizing all untrusted input before including it in HTTP response headers is essential to maintain compliance with these regulations, which mandate appropriate security controls to protect data confidentiality and integrity.