We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-54871

Electron Capture is Vulnerable to TCC Bypass via Misconfigured Node Fuses (macOS)



Description

Electron Capture facilitates video playback for screen-sharing and capture. In versions 2.19.1 and below, the elecap app on macOS allows local unprivileged users to bypass macOS TCC privacy protections by enabling ELECTRON_RUN_AS_NODE. This environment variable allows arbitrary Node.js code to be executed via the -e flag, which runs inside the main Electron context, inheriting any previously granted TCC entitlements (such as access to Documents, Downloads, etc.). This issue is fixed in version 2.20.0.

Reserved 2025-07-31 | Published 2025-08-05 | Updated 2025-08-05 | Assigner GitHub_M


MEDIUM: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-284: Improper Access Control

Product status

< 2.20.0
affected

References

github.com/...apture/security/advisories/GHSA-8849-p3j4-jq4h

github.com/...ommit/3837f54e75911bb99fa45cfa138a5e401d16f531

github.com/steveseguin/electroncapture/releases/tag/2.20.0

cve.org (CVE-2025-54871)

nvd.nist.gov (CVE-2025-54871)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-54871

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.