Headline
GHSA-6r2x-8pq8-9489: Electron vulnerable to Heap Buffer Overflow in NativeImage
Impact
The nativeImage.createFromPath()
and nativeImage.createFromBuffer()
functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image’s height, width, and contents.
Workaround
There are no app-side workarounds for this issue. You must update your Electron version to be protected.
Patches
v28.3.2
v29.3.3
v30.0.3
For More Information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-46993
Electron vulnerable to Heap Buffer Overflow in NativeImage
Moderate severity GitHub Reviewed Published Jun 30, 2025 in electron/electron • Updated Jun 30, 2025
Package
npm electron (npm)
Affected versions
< 28.3.2
>= 29.0.0-alpha.1, < 29.3.3
>= 30.0.0-alpha.1, < 30.0.3
Patched versions
28.3.2
29.3.3
30.0.3
Impact
The nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image’s height, width, and contents.
Workaround
There are no app-side workarounds for this issue. You must update your Electron version to be protected.
Patches
- v28.3.2
- v29.3.3
- v30.0.3
For More Information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
References
- GHSA-6r2x-8pq8-9489
Published to the GitHub Advisory Database
Jun 30, 2025
Last updated
Jun 30, 2025