GHSA-7rvm-xjpp-63r9
actual Allows Electron to Run As Node
상세
## Summary
A electron run as node vulnerability was identified in `actual` (macOS application, version `25.x (Electron 39.2.7)`).
**Vulnerability Type:** Electron Run As Node
## Description
ELECTRON_RUN_AS_NODE fuse enabled (Electron 39.2.7) — app can be converted to Node.js REPL for arbitrary code execution
## Impact
An attacker who can place a file on disk or control command-line arguments can invoke the signed Actual.app binary with ELECTRON_RUN_AS_NODE=1 to execute arbitrary Node.js code inheriting the apps entitlements and code signature. This bypasses macOS Gatekeeper review of the payload: the Node.js script runs as Actual, under Actuals bundle ID and signed identity, and has access to any entitlements the app carries (network, file access, keychain, automation). Combined with any downloader (browser, mail attachment, Slack link) this becomes a signed-binary-abuse primitive on every Mac with Actual installed.
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.