CVE-2025-54871 – This vulnerability in Electron Capture allows l... (How to Fix)

Q: What is the severity of CVE-2025-54871?

CVE-2025-54871 has a CVSS score of 5.5 (MEDIUM). This vulnerability in Electron Capture allows local unprivileged users on macOS to bypass TCC privacy protections by setting the ELECTRON_RUN_AS_NODE environment variable. This enables execution of arbitrary Node.js code that inherits previously granted TCC entitlements like access to Documents and Downloads folders. Users of Electron Capture versions 2.19.1 and below on macOS are affected.

📋 TL;DR

This vulnerability in Electron Capture allows local unprivileged users on macOS to bypass TCC privacy protections by setting the ELECTRON_RUN_AS_NODE environment variable. This enables execution of arbitrary Node.js code that inherits previously granted TCC entitlements like access to Documents and Downloads folders. Users of Electron Capture versions 2.19.1 and below on macOS are affected.

💻 Affected Systems

Products:

Electron Capture

Versions: 2.19.1 and below

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects macOS systems where TCC (Transparency, Consent, and Control) privacy framework is used. Requires local user access.

📦 What is this software?

Electron Capture by Electroncapture

View all CVEs affecting Electron Capture →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access could execute arbitrary Node.js code with elevated TCC permissions, potentially accessing sensitive user data (Documents, Downloads, etc.), capturing screen content, or performing other unauthorized actions.

🟠

Likely Case

Local users could bypass TCC restrictions to access files and folders they shouldn't have permission to view, violating macOS privacy protections.

🟢

If Mitigated

With proper access controls and updated software, the risk is limited to authorized users only, preventing unauthorized TCC bypass.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.

🏢 Internal Only: MEDIUM - Internal users with local access could exploit this to bypass macOS privacy controls and access restricted data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and knowledge of how to set environment variables and execute Node.js code via the -e flag.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.20.0

Vendor Advisory: https://github.com/steveseguin/electroncapture/security/advisories/GHSA-8849-p3j4-jq4h

Restart Required: No

Instructions:

1. Download Electron Capture version 2.20.0 or higher from the official releases page. 2. Replace the existing installation with the updated version. 3. Verify the update was successful by checking the version number.

🔧 Temporary Workarounds

Remove ELECTRON_RUN_AS_NODE environment variable

macOS

Prevent exploitation by ensuring the ELECTRON_RUN_AS_NODE environment variable is not set when running Electron Capture.

unset ELECTRON_RUN_AS_NODE

🧯 If You Can't Patch

Restrict local user access to systems running vulnerable versions of Electron Capture.
Monitor for unusual Node.js execution or TCC permission bypass attempts through system logs.

🔍 How to Verify

Check if Vulnerable:

Check if Electron Capture version is 2.19.1 or below and running on macOS.

Check Version:

Check application version in About dialog or via command line if available.

Verify Fix Applied:

Confirm Electron Capture version is 2.20.0 or higher and test that setting ELECTRON_RUN_AS_NODE no longer allows TCC bypass.

📡 Detection & Monitoring

Log Indicators:

Unusual Node.js execution via Electron Capture
TCC permission bypass attempts
ELECTRON_RUN_AS_NODE environment variable being set

Network Indicators:

None - this is a local vulnerability

SIEM Query:

Search for process execution events where parent process is Electron Capture and command includes Node.js execution flags.

📊 Metadata

CVE ID: CVE-2025-54871

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-284

EPSS Score: 0.02% exploit probability (2.7th percentile)

Published: August 5, 2025

Last Updated: October 9, 2025

🔗 References

https://github.com/steveseguin/electroncapture/commit/3837f54e75911bb99fa45cfa138a5e401d16f531 Patch
https://github.com/steveseguin/electroncapture/releases/tag/2.20.0 Release Notes
https://github.com/steveseguin/electroncapture/security/advisories/GHSA-8849-p3j4-jq4h Exploit,Vendor Advisory
https://github.com/steveseguin/electroncapture/security/advisories/GHSA-8849-p3j4-jq4h Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54871, you might also want to check these: