CVE-2024-23740: 
Homebrew vulnerability analysis and mitigation

An issue in Kap for macOS version 3.6.0 and before allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeCliInspectArguments settings. This vulnerability is related to Electron's fuses functionality (Electron Blog).

The vulnerability involves two of Electron's fuses - runAsNode and enableNodeCliInspectArguments. When enabled, these features could potentially allow an attacker to use the impacted app as a generic Node.js process with inherited TCC (Transparency, Consent, and Control) permissions. This means if the app has been granted specific system permissions, an attacker could potentially execute code that inherits those permissions (Electron Blog).

If exploited, an attacker who already has access to the system could run the affected application as a Node.js process and execute arbitrary code with inherited permissions. For example, if the app has been granted access to system resources like the address book, the attacker could potentially access these resources through the compromised application (Electron Blog).

The recommended mitigation is to disable the runAsNode fuse within the Electron app. However, disabling this fuse will affect process.fork functionality in the main process. As an alternative, developers are advised to use Utility Processes for scenarios requiring standalone Node.js processes. The Electron team provides detailed guidance in their Security Checklist for implementing these changes (Electron Blog).

The Electron team has publicly stated that they do not believe these CVEs were filed in good faith, noting that the severity level of 'Critical' is inappropriate for this type of vulnerability. They also pointed out that affected companies were not notified despite having bug bounty programs in place (Electron Blog).