CVE-2025-54871
Severity CVSS v4.0:
Pending analysis
Type:
CWE-284
Improper Access Control
Publication date:
05/08/2025
Last modified:
09/10/2025
Description
Electron Capture facilitates video playback for screen-sharing and capture. In versions 2.19.1 and below, the elecap app on macOS allows local unprivileged users to bypass macOS TCC privacy protections by enabling ELECTRON_RUN_AS_NODE. This environment variable allows arbitrary Node.js code to be executed via the -e flag, which runs inside the main Electron context, inheriting any previously granted TCC entitlements (such as access to Documents, Downloads, etc.). This issue is fixed in version 2.20.0.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:electroncapture:electron_capture:*:*:*:*:*:*:*:* | 2.20.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/steveseguin/electroncapture/commit/3837f54e75911bb99fa45cfa138a5e401d16f531
- https://github.com/steveseguin/electroncapture/releases/tag/2.20.0
- https://github.com/steveseguin/electroncapture/security/advisories/GHSA-8849-p3j4-jq4h
- https://github.com/steveseguin/electroncapture/security/advisories/GHSA-8849-p3j4-jq4h