CVE-2024-23741: 
NixOS vulnerability analysis and mitigation

An issue in Hyper on macOS version 3.4.1 and before allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. The vulnerability was assigned CVE-2024-23741 and was discovered in January 2024 (MITRE CVE).

The vulnerability is related to Electron's fuses - specifically runAsNode and enableNodeCliInspectArguments components. By default, these features are enabled in all released versions of Electron. When exploited, it allows the application to be used as a generic Node.js process with inherited TCC (Transparency, Consent, and Control) permissions. This means if the app has been granted specific system permissions, an attacker can run the app as Node.js and execute arbitrary code with those inherited permissions (Electron Blog).

The impact of this vulnerability requires an attacker to already have access to the attacked system, either through physical access or through full remote code execution. If successful, the attacker can execute arbitrary code with the permissions granted to the application. This is considered a 'living off the land' attack, where attackers can utilize the compromised application to run arbitrary code with inherited system permissions (Electron Blog).

The recommended mitigation is to disable the runAsNode fuse within the Electron app. This can be done by following the Electron Fuses documentation. However, disabling this fuse will affect process.fork functionality in the main process. As an alternative, developers are advised to use Utility Processes for scenarios requiring standalone Node.js processes (Electron Blog).

The Electron team has publicly responded to this vulnerability, stating that they do not believe the CVEs were filed in good faith. They noted that companies mentioned in these CVEs were not notified despite having bug bounty programs, and the severity level of 'Critical' was questioned as being inappropriately high for the actual risk level (Electron Blog).