CVE-2025-12843
Unknown Unknown - Not Provided
Code Injection in waveterm 0.12.2 Enables MacOS TCC Bypass

Publication date: 2025-12-12

Last updated on: 2025-12-18

Assigner: Fluid Attacks

Description
Code Injection using Electron Fuses in waveterm on MacOS allows TCC Bypass. This issue affects waveterm: 0.12.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12843
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fluidattacks waveterm 0.12.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows bypassing macOS's Transparency, Consent, and Control (TCC) mechanism, enabling unauthorized capture of audio, video, or screen content without user consent. Such unauthorized access to personal or sensitive data can lead to violations of privacy regulations and standards like GDPR and HIPAA, which require explicit user consent and protection of personal data. Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to unauthorized data access and potential data breaches. [2]

Executive Summary

This vulnerability is a code injection issue in the waveterm application version 0.12.2 on MacOS. It involves the misuse of Electron Fuses, which allows an attacker to bypass the Transparency, Consent, and Control (TCC) system on MacOS. Essentially, this means that malicious code can be injected and executed, circumventing MacOS security controls designed to protect user privacy and system integrity.

Impact Analysis

The vulnerability can allow an attacker with limited privileges to execute arbitrary code by bypassing MacOS's TCC protections. This could lead to unauthorized access to sensitive data or system resources, potentially compromising the security and privacy of the affected system.

Detection Guidance

Detection can involve checking for the presence of the environment variable ELECTRON_RUN_AS_NODE set to true in launch daemon plist files related to waveterm, and monitoring for suspicious launchctl daemon entries that execute scripts or binaries under waveterm's context. You can use commands like `launchctl list` to list loaded daemons, and `launchctl print <service-name>` to inspect specific daemons. Additionally, searching for plist files such as 'bypass.plist' in /Library/LaunchDaemons or ~/Library/LaunchAgents that set ELECTRON_RUN_AS_NODE to true can help detect exploitation attempts. Monitoring processes spawned by waveterm that execute Objective-C binaries recording audio or accessing AVFoundation APIs may also indicate exploitation. [2]

Mitigation Strategies

Immediate mitigation steps include removing or disabling any launch daemon plist files (e.g., bypass.plist) that set the ELECTRON_RUN_AS_NODE environment variable to true and launch waveterm with scripts that execute arbitrary code. Restrict or monitor the use of waveterm on macOS systems, especially version 0.12.2, until a patch is available. Limit user privileges to prevent local attackers from creating or loading malicious launch daemons. Since no patch is currently available, applying strict access controls and monitoring for suspicious activity related to waveterm is critical. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12843. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart