CVE-2024-23739: 
NixOS vulnerability analysis and mitigation

A vulnerability identified as CVE-2024-23739 affects Discord for macOS version 0.0.291 and earlier versions. The vulnerability allows remote attackers to execute arbitrary code through the RunAsNode and enableNodeCliInspectArguments settings (CVE Mitre, NVD).

The vulnerability is related to Electron's fuses - specifically the RunAsNode and enableNodeCliInspectArguments components. According to Electron's official statement, the vulnerability requires an attacker to already have access to the attacked system, either through physical access or full remote code execution. When exploited, it allows the attacker to use the impacted app as a generic Node.js process with inherited TCC (Transparency, Consent, and Control) permissions (Electron Blog).

If successfully exploited, an attacker who already has system access can run the application as Node.js and execute arbitrary code which will inherit the application's permissions. For example, if the app has been granted access to the address book, the attacker can leverage this vulnerability to access that data. This is known as a 'living off the land' attack (Electron Blog).

The recommended mitigation is to disable the RunAsNode fuse within the Electron app. This can be done by following the Electron Fuses documentation. However, disabling this fuse will affect process.fork functionality in the main process. As an alternative, developers are advised to use Utility Processes for scenarios requiring standalone Node.js processes (Electron Blog).

The Electron team has publicly addressed this vulnerability, stating that they do not believe the CVEs were filed in good faith. They noted that the affected companies were not notified despite having bug bounty programs, and the severity level of 'Critical' was inappropriately assigned to these vulnerabilities (Electron Blog).