## Electron ASAR Integrity Bypass: Local Attackers Can Tamper with App Resources (CVE-2025-55305)
A moderate-severity vulnerability in the Electron framework allows attackers with local write access to bypass critical integrity checks and tamper with application code. The flaw, tracked as CVE-2025-55305 and GHSA-vmqv-hx8q-j7mg, resides in the ASAR archive validation system. An attacker who can write to an application's `resources` folder can modify the contents of the ASAR archive, circumventing the integrity validation designed to prevent such tampering. This creates a pathway for code injection and the inclusion of untrusted functionality.

The vulnerability affects all versions of Electron below 35.7.5. The attack vector is local, requiring low privileges and user interaction, but the attack complexity is also low, making exploitation feasible. The flaw is classified under CWE-94 (Code Injection) and CWE-829 (Inclusion of Functionality from Untrusted Control Sphere), with a CVSS v3.1 score of 6.1. The issue was reported by researcher @dariushoule and has been publicly disclosed by the Electron security team.

This integrity bypass poses a direct risk to any desktop application built with a vulnerable version of Electron, including projects like AgentPlex which depends on `electron@^33.2.0`. While the immediate impact is limited to local attackers, successful exploitation could compromise application security, lead to data theft, or enable further system compromise. Developers must urgently update to Electron 35.7.5 or later to patch this vulnerability and restore the intended security guarantees of the ASAR integrity mechanism.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2025-55305, Electron, ASAR, Code Injection, Desktop Security
- **Credibility**: unverified
- **Published**: 2026-03-26 11:27:19
- **ID**: 35279
- **URL**: https://whisperx.ai/en/intel/35279