CVE-2024-23755: 
Homebrew vulnerability analysis and mitigation

ClickUp Desktop before version 3.3.77 on macOS and Windows contains a vulnerability (CVE-2024-23755) that allows code injection due to specific Electron Fuses configurations. The vulnerability specifically relates to inadequate protection against code injection through settings such as RunAsNode. This high-severity vulnerability was discovered in December 2023 and publicly disclosed in March 2024 (ClickUp Disclosure).

The vulnerability carries a CVSS score of 8.4, indicating high severity. The issue stems from improper configuration of Electron Fuses, particularly the RunAsNode feature, which allows code injection if an attacker can run a malicious application on the user's system. The vulnerability affects ClickUp Desktop versions 3.3.76 and earlier on both macOS and Windows platforms (Security Online, ClickUp Disclosure).

If exploited, the vulnerability could allow attackers with local access to the system to steal sensitive data from ClickUp and potentially other applications, install additional malware, and gain further control over the system. The impact is significant for systems where attackers have successfully executed malicious code (Security Online).

ClickUp has addressed this vulnerability by releasing version 3.3.77 and later versions of the Desktop application. Users are strongly advised to update their ClickUp Desktop applications immediately to the latest version available through the official ClickUp Download Centre. The issue is mitigated by the requirement that an attacker must have local access to the target system (ClickUp Disclosure).

The Electron team has responded to this and similar CVEs, stating that while disabling the components enhances app security, they believe the CVEs were not filed with the correct severity. They argue that 'Critical' severity is not appropriate for this type of vulnerability, as it requires the attacker to already have system access (Electron Blog).