CVE-2025-54871

Public Exploit
Electron Capture is Vulnerable to TCC Bypass via Misconfigured Node Fuses (macOS)

Description

Electron Capture facilitates video playback for screen-sharing and capture. In versions 2.19.1 and below, the elecap app on macOS allows local unprivileged users to bypass macOS TCC privacy protections by enabling ELECTRON_RUN_AS_NODE. This environment variable allows arbitrary Node.js code to be executed via the -e flag, which runs inside the main Electron context, inheriting any previously granted TCC entitlements (such as access to Documents, Downloads, etc.). This issue is fixed in version 2.20.0.

Category

5.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.01%
Affected: steveseguin electroncapture
Published at:
Updated at:

References

Link Tags
https://github.com/steveseguin/electroncapture/security/advisories/GHSA-8849-p3j4-jq4h
https://github.com/steveseguin/electroncapture/commit/3837f54e75911bb99fa45cfa138a5e401d16f531
https://github.com/steveseguin/electroncapture/releases/tag/2.20.0

Frequently Asked Questions

What is the severity of CVE-2025-54871?
CVE-2025-54871 has been scored as a medium severity vulnerability.
How to fix CVE-2025-54871?
To fix CVE-2025-54871, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-54871 being actively exploited in the wild?
It is possible that CVE-2025-54871 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-54871?
CVE-2025-54871 affects steveseguin electroncapture.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.