CVE-2025-12843
Code Injection in waveterm 0.12.2 Enables MacOS TCC Bypass
Publication date: 2025-12-12
Last updated on: 2025-12-18
Assigner: Fluid Attacks
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fluidattacks | waveterm | 0.12.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a code injection issue in the waveterm application version 0.12.2 on MacOS. It involves the misuse of Electron Fuses, which allows an attacker to bypass the Transparency, Consent, and Control (TCC) system on MacOS. Essentially, this means that malicious code can be injected and executed, circumventing MacOS security controls designed to protect user privacy and system integrity.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with limited privileges to execute arbitrary code by bypassing MacOS's TCC protections. This could lead to unauthorized access to sensitive data or system resources, potentially compromising the security and privacy of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows bypassing macOS's Transparency, Consent, and Control (TCC) mechanism, enabling unauthorized capture of audio, video, or screen content without user consent. Such unauthorized access to personal or sensitive data can lead to violations of privacy regulations and standards like GDPR and HIPAA, which require explicit user consent and protection of personal data. Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to unauthorized data access and potential data breaches. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve checking for the presence of the environment variable ELECTRON_RUN_AS_NODE set to true in launch daemon plist files related to waveterm, and monitoring for suspicious launchctl daemon entries that execute scripts or binaries under waveterm's context. You can use commands like `launchctl list` to list loaded daemons, and `launchctl print <service-name>` to inspect specific daemons. Additionally, searching for plist files such as 'bypass.plist' in /Library/LaunchDaemons or ~/Library/LaunchAgents that set ELECTRON_RUN_AS_NODE to true can help detect exploitation attempts. Monitoring processes spawned by waveterm that execute Objective-C binaries recording audio or accessing AVFoundation APIs may also indicate exploitation. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or disabling any launch daemon plist files (e.g., bypass.plist) that set the ELECTRON_RUN_AS_NODE environment variable to true and launch waveterm with scripts that execute arbitrary code. Restrict or monitor the use of waveterm on macOS systems, especially version 0.12.2, until a patch is available. Limit user privileges to prevent local attackers from creating or loading malicious launch daemons. Since no patch is currently available, applying strict access controls and monitoring for suspicious activity related to waveterm is critical. [2]