CVE-2024-46992: 
JavaScript vulnerability analysis and mitigation

Electron, an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS, was found to contain an ASAR Integrity bypass vulnerability (CVE-2024-46992). The vulnerability affects versions from 30.0.0-alpha.1 to before 30.0.5 and 31.0.0-alpha.1 to before 31.0.0-beta.1. This security issue was discovered and reported by Just-Hack-For-Fun (GitHub Advisory).

The vulnerability is specifically related to ASAR (Electron's Archive format) Integrity bypass. It only affects applications that have both the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. The issue has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access required with low attack complexity and no user interaction needed (GitHub Advisory).

The vulnerability is specific to Windows systems, while applications using these fuses on macOS are not impacted. The issue can only be exploited if the application is launched from a filesystem where the attacker has write access, such as the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against (GitHub Advisory).

There are no application-side workarounds available for this vulnerability. The only mitigation is to update to the patched versions: Electron 30.0.5 or 31.0.0-beta.1 (GitHub Advisory).