Skip to content

Instantly share code, notes, and snippets.

@khronokernel
Last active April 15, 2024 02:27
Show Gist options
  • Save khronokernel/b68709335aa097752423f5d6844c3aa3 to your computer and use it in GitHub Desktop.
Save khronokernel/b68709335aa097752423f5d6844c3aa3 to your computer and use it in GitHub Desktop.
Arbitrary Code Execution in Weave Desktop

CVE-2024-25545 - Arbitrary Code Execution in Weave Desktop

On January 9th, 2024, Weave was notified through their responsible disclosure system that Weave version 7.78.10 is vulnerable to arbitrary code execution and as of April 9th, 2024, is still vulnerable.

Note while Weave does list a paid bug bounty on their site, no compensation was given.

Affected Products

  • Weave Desktop
    • Affected: All current versions (7.78.10 through 7.84.1 confirmed)
    • Fixed: N/A

Vulnerability Details

Due to Weave Desktop being built with the nwjs (version 92.0.4515.107), the framework implements the ability to pass arbitrary JavaScript to the application. With TCC inheritance in macOS, the malicious script gain additional privileges such as Microphone and Camera access normally blocked by the operating system for user approval.

Additionally any systems that rely on code signature checks can be spoofed into using Weave's ID, which can be used to bypass security checks.

Disclosure Timeline

Sender Topic Date
RIPEDA Vulnerability discovered January 9th, 2024
RIPEDA Vulnerability reported to Weave January 9th, 2024
Weave Confirmation of report January 9th, 2024
Weave Notified Electron rewrite as patch, currently in limited release January 17th, 2024
RIPEDA Associated vulnerability with CVE-2024-25545 February 8th, 2024
Weave Request for planned CVE info publication February 20th, 2024
RIPEDA Explanation of CVSS process, and estimated score February 24th, 2024
RIPEDA Disclosure April 9th, 2024

Weave has stated that there is an Electron rewrite in development that will resolve this vulnerability.

Following Project Zero's 90+30 Vulnerability Disclosure Policy, RIPEDA Consulting has not been notified of an official release on the main site and thus in the best interest of the public has released this report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment