Electron USB Device Selection Validation Vulnerability

A vulnerability exists in Electron's handling of the select-usb-device event callback. In versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, the callback did not properly validate the selected device ID against the filtered list provided to the handler. This flaw could allow an application to access a device that either did not meet the renderer's specified filters or was included in the exclusionFilters. While the WebUSB security blocklist remained active, protecting sensitive devices on the blocklist, the vulnerability could impact applications with unconventional device-selection processes.

Impact

Exploitation of this vulnerability could lead to unauthorized access to USB devices, bypassing the intended filter restrictions. This could allow applications to interact with devices that should have been excluded based on the user's specified criteria.

Remediation

Users must update to Electron versions 38.8.6, 39.8.0, 40.7.0, or 41.0.0-beta.8 to address this vulnerability.