PT-2025-4372 · Tabby+1 · Tabby+1
Senzee1984
·
Published
2025-01-08
·
Updated
2025-01-08
·
CVE-2025-22136
CVSS v4.0
8.6
High
| Vector | AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Tabby versions prior to 1.0.217
Description
Tabby, a highly configurable terminal emulator, enables several high-risk Electron fuses, including
RunAsNode, EnableNodeCliInspectArguments, and EnableNodeOptionsEnvironmentVariable. These fuses create potential code injection vectors despite the application being signed with a hardened runtime and lacking dangerous entitlements such as com.apple.security.cs.disable-library-validation and com.apple.security.cs.allow-dyld-environment-variables.Recommendations
For versions prior to 1.0.217, update to version 1.0.217 or later to resolve the issue. As a temporary workaround, consider disabling the high-risk Electron fuses, including
RunAsNode, EnableNodeCliInspectArguments, and EnableNodeOptionsEnvironmentVariable, until a patch is available. Restrict access to sensitive areas of the application to minimize the risk of exploitation.Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Electron
Tabby