CVE-2024-23738: 
NixOS vulnerability analysis and mitigation

An issue in Postman version 10.22 and before on macOS allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. This vulnerability has been disputed by the vendor, who states that the configuration does not enable remote code execution (CVE Mitre).

The vulnerability is related to Electron's fuses - runAsNode and enableNodeCliInspectArguments components. By default, all released versions of Electron have these features enabled. The exploit potentially allows an attacker to use the impacted app as a generic Node.js process with inherited TCC permissions. For example, if the app has been granted access to the address book, the attacker could run the app as Node.js and execute arbitrary code which will inherit that address book access (Electron Blog).

If exploited, the vulnerability could allow an attacker to execute arbitrary code with the permissions of the affected application. However, it's important to note that the attacker needs to already have access to the attacked system, either through physical access or full remote code execution capabilities (Electron Blog).

The recommended mitigation is to disable the runAsNode fuse within the Electron app. This fuse controls whether the ELECTRON_RUN_AS_NODE environment variable is respected. However, disabling this fuse may affect process.fork functionality in the main process. As an alternative, developers are advised to use Utility Processes for scenarios requiring standalone Node.js processes (Electron Blog).

The Electron team has publicly stated that they do not believe these CVEs were filed in good faith, noting that affected companies were not notified despite having bug bounty programs. They also dispute the 'Critical' severity rating assigned to the vulnerability (Electron Blog).