Electron Registry Key Path Injection Vulnerability in Default Protocol Client Handling on Windows

A vulnerability exists in Electron's handling of default protocol clients on Windows. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, the framework's app.setAsDefaultProtocolClient() method did not properly validate protocol names before writing to the Windows registry. This flaw allows applications that use untrusted input for protocol names to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers. The issue affects only those applications that derive protocol names from external sources, while those using hardcoded names are not vulnerable.

Impact

Exploitation of this vulnerability could lead to unauthorized modifications of the Windows registry, specifically under the key for user-specific classes. This could allow an attacker to hijack protocol handlers, causing the system to misroute or improperly handle certain types of links or commands.

Remediation

To address this vulnerability, developers should update to Electron versions 38.8.6, 39.8.1, 40.8.1, or 41.0.0. Additionally, it's recommended to validate protocol names against a regular expression that ensures they conform to expected formats before passing them to the app.setAsDefaultProtocolClient() method.