On January 9th, 2024, Weave was notified through their responsible disclosure system that Weave version 7.78.10 is vulnerable to arbitrary code execution and as of April 9th, 2024, is still vulnerable.
Note while Weave does list a paid bug bounty on their site, no compensation was given.
- Weave Desktop
- Affected: All current versions (7.78.10 through 7.84.1 confirmed)
- Fixed: N/A
Due to Weave Desktop being built with the nwjs (version 92.0.4515.107), the framework implements the ability to pass arbitrary JavaScript to the application. With TCC inheritance in macOS, the malicious script gain additional privileges such as Microphone and Camera access normally blocked by the operating system for user approval.
Additionally any systems that rely on code signature checks can be spoofed into using Weave's ID, which can be used to bypass security checks.
| Sender | Topic | Date |
|---|---|---|
| RIPEDA | Vulnerability discovered | January 9th, 2024 |
| RIPEDA | Vulnerability reported to Weave | January 9th, 2024 |
| Weave | Confirmation of report | January 9th, 2024 |
| Weave | Notified Electron rewrite as patch, currently in limited release | January 17th, 2024 |
| RIPEDA | Associated vulnerability with CVE-2024-25545 | February 8th, 2024 |
| Weave | Request for planned CVE info publication | February 20th, 2024 |
| RIPEDA | Explanation of CVSS process, and estimated score | February 24th, 2024 |
| RIPEDA | Disclosure | April 9th, 2024 |
Weave has stated that there is an Electron rewrite in development that will resolve this vulnerability.
Following Project Zero's 90+30 Vulnerability Disclosure Policy, RIPEDA Consulting has not been notified of an official release on the main site and thus in the best interest of the public has released this report.
- Reference: Weave: Download the Weave Desktop App.