CVE-2025-54871
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-10-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| electroncapture | electron_capture | to 2.20.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54871 is a vulnerability in the elecap application on macOS where misconfigured Electron Node Fuses allow local unprivileged users to bypass macOS Transparency, Consent, and Control (TCC) privacy protections. By setting the environment variable ELECTRON_RUN_AS_NODE=true, an attacker can run the Electron app as a Node.js interpreter and execute arbitrary JavaScript code using the -e flag. This code runs inside the main Electron context and inherits all previously granted TCC entitlements, such as access to Documents, Downloads, Camera, and Microphone, effectively bypassing macOS security without user consent. The root cause is the enabling of development/debugging fuses like RunAsNode, EnableNodeOptionsEnvironmentVariable, and EnableNodeCliInspectArguments in production, which expose the app to code injection and sandbox escape. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows a local attacker with low privileges to bypass macOS privacy protections and access sensitive user data such as Documents and Downloads folders, as well as hardware like the microphone and camera, without user consent or notification. It enables privilege escalation and persistence by running arbitrary Node.js code within the Electron app's context, inheriting all granted TCC permissions. This can lead to unauthorized data access, privacy violations, and potential stealthy exploitation on affected systems. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking the Electron fuse configuration of the elecap app on macOS. Specifically, run the command `npx @electron/fuses read --app /Applications/elecap.app` to read the fuse settings. If the fuses `RunAsNode`, `EnableNodeOptionsEnvironmentVariable`, and `EnableNodeCliInspectArguments` are enabled, the app is vulnerable. Additionally, detection can involve checking for the presence of a LaunchAgent plist named `com.electron.tcc.bypass.plist` that runs elecap with the `ELECTRON_RUN_AS_NODE=true` environment variable, which is used to exploit the vulnerability. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the elecap application to version 2.20.0 or later, where the vulnerability is fixed by disabling the dangerous Electron fuses (`RunAsNode`, `EnableNodeOptionsEnvironmentVariable`, and `EnableNodeCliInspectArguments`). If upgrading is not immediately possible, ensure that the environment variable `ELECTRON_RUN_AS_NODE` is not set or blocked, and remove any malicious LaunchAgent plist files such as `com.electron.tcc.bypass.plist` that exploit this vulnerability. Additionally, verify fuse settings using `npx @electron/fuses read --app /Applications/elecap.app` and confirm that the risky fuses are disabled. [1, 2]