CVE-2025-54871 MEDIUM

CVE-2025-54871: Electron Capture is Vulnerable to TCC Bypass via Misconfigured Node Fuses (macOS)

Vendor Steveseguin

Product electroncapture

Weakness CWE-284

Published August 5, 2025

Last update August 5, 2025

View on NVD All CVEs

CVSS base score

5.5/10

Attack vector Local

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Electron Capture facilitates video playback for screen-sharing and capture. In versions 2.19.1 and below, the elecap app on macOS allows local unprivileged users to bypass macOS TCC privacy protections by enabling ELECTRON_RUN_AS_NODE. This environment variable allows arbitrary Node.js code to be executed via the -e flag, which runs inside the main Electron context, inheriting any previously granted TCC entitlements (such as access to Documents, Downloads, etc.). This issue is fixed in version 2.20.0.

Key dates

02Disclosure timeline

August 5, 2025 CVE published

August 5, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-54871 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

CVE-2025-54871: Electron Capture is Vulnerable to TCC Bypass via Misconfigured Node Fuses (macOS)

01Description

02Disclosure timeline

03References

04Related CVE