CVE-2024-23742: 
Homebrew vulnerability analysis and mitigation

An issue in Loom on macOS version 0.196.1 and before allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings (NVD, GitHub). However, this vulnerability is disputed as it requires local access to a victim's machine (Electron Blog).

The vulnerability is related to two of Electron's fuses - runAsNode and enableNodeCliInspectArguments. When enabled, these features allow the application to be run as a generic Node.js process with inherited TCC (Transparency, Consent, and Control) permissions. This means if the app has been granted access to system resources like the address book, an attacker could run the app as Node.js and execute arbitrary code which will inherit those permissions (Electron Blog).

If exploited, an attacker who already has access to the system could use the impacted app as a generic Node.js process with inherited permissions. This is known as a 'living off the land' attack, where attackers typically use PowerShell, Bash, or similar tools to run arbitrary code with the permissions granted to the application (Electron Blog).

The recommended mitigation is to disable the runAsNode fuse within the Electron app. This can be done by following the Electron Fuses documentation. However, disabling this fuse will affect process.fork functionality in the main process. As an alternative, developers are advised to use Utility Processes for scenarios requiring standalone Node.js processes (Electron Blog).

The Electron team has publicly stated that they do not believe these CVEs were filed in good faith, noting that affected companies were not notified despite having bug bounty programs. They argue that the 'Critical' severity rating is inappropriate for this type of vulnerability (Electron Blog).