Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-hvf8-h2qh-37m9

GitHub Security Advisory

IPC messages delivered to the wrong frame in Electron

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
IPC messages sent from the main process to a subframe in the renderer process, through `webContents.sendToFrame`, `event.reply` or when using the `remote` module, can in some cases be delivered to the wrong frame.

If your app does ANY of the following, then it is impacted by this issue:
- Uses `remote`
- Calls `webContents.sendToFrame`
- Calls `event.reply` in an IPC message handler

### Patches
This has been fixed in the following versions:

- 9.4.0
- 10.2.0
- 11.1.0
- 12.0.0-beta.9

### Workarounds
There are no workarounds for this issue.

### For more information
If you have any questions or comments about this advisory, email us at [[email protected]](mailto:[email protected]).

Affected Packages

npm electron
Affected versions: 0 (fixed in 9.4.0)
npm electron
Affected versions: 10.0.0 (fixed in 10.2.0)
npm electron
Affected versions: 11.0.0 (fixed in 11.1.0)

Related CVEs

CVE-2020-26272

Key Information

GHSA ID
GHSA-hvf8-h2qh-37m9
Published
January 28, 2021 7:11 PM
Last Modified
May 27, 2025 3:20 PM
CVSS Score
5.0 /10
Primary Ecosystem
npm
Primary Package
electron
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 12, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.