CVE-2025-51387
📋 TL;DR
CVE-2025-51387 allows remote code execution in GitKraken Desktop due to misconfigured Electron Fuses. Attackers can execute arbitrary code by passing malicious arguments when the application runs in Node.js mode. All users of affected GitKraken Desktop versions are vulnerable.
💻 Affected Systems
- GitKraken Desktop
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with user privileges, steal credentials, install malware, or pivot to other systems.
Likely Case
Local privilege escalation leading to unauthorized access to source code repositories, credential theft, and lateral movement within development environments.
If Mitigated
Limited impact with proper application sandboxing and restricted user permissions, potentially only allowing limited file access.
🎯 Exploit Status
Exploitation requires local access or social engineering to execute malicious arguments. Public proof-of-concept tools like electroniz3r demonstrate the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 10.8.0 and 11.1.0
Vendor Advisory: https://www.electronjs.org/blog/statement-run-as-node-cves#mitigation
Restart Required: Yes
Instructions:
1. Update GitKraken Desktop to the latest version. 2. Verify Electron Fuses are properly configured: RunAsNode disabled and EnableNodeCliInspectArguments disabled. 3. Restart the application.
🔧 Temporary Workarounds
Disable RunAsNode via Environment Variable
linuxPrevents the application from running in Node.js mode by setting the ELECTRON_RUN_AS_NODE environment variable to 0.
export ELECTRON_RUN_AS_NODE=0
Windows Registry Modification
windowsSet the ELECTRON_RUN_AS_NODE environment variable to 0 system-wide via registry.
reg add "HKCU\Environment" /v ELECTRON_RUN_AS_NODE /t REG_SZ /d 0 /f
🧯 If You Can't Patch
- Restrict application execution to non-privileged user accounts with minimal permissions.
- Implement application whitelisting to prevent unauthorized execution of GitKraken with malicious arguments.
🔍 How to Verify
Check if Vulnerable:
Check if GitKraken is version 10.8.0 or 11.1.0. Verify Electron Fuse configuration using electron-fuses or similar tools to confirm RunAsNode is enabled.Check Version:
gitkraken --versionVerify Fix Applied:
Confirm GitKraken version is updated beyond affected versions. Use electron-fuses to verify RunAsNode is disabled and EnableNodeCliInspectArguments is disabled.📡 Detection & Monitoring
Log Indicators:
- Unusual process spawns from GitKraken executable
- Command-line arguments containing Node.js flags or suspicious scripts
Network Indicators:
- Unexpected outbound connections from GitKraken process
- DNS requests to unknown domains
SIEM Query:
Process Creation where Image contains 'gitkraken' and CommandLine contains '--inspect' or '--inspect-brk'