Cyber Resilience

CVE-2024-23739

CriticalPublic PoC

Published: 28 January 2024

Published
28 January 2024
Modified
29 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3577 97.2th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-23739 is a critical-severity an unspecified weakness vulnerability in Discord Discord. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2024-23739 is a remote code execution vulnerability affecting Discord for macOS versions 0.0.291 and earlier. It stems from the application's use of Electron's RunAsNode and enableNodeCliInspectArguments settings, which can be abused to bypass intended security controls and execute arbitrary code on the host.

Remote attackers can exploit the flaw over the network without authentication or user interaction, achieving full control over the affected system with impacts to confidentiality, integrity, and availability as reflected in its 9.8 CVSS score.

Public references point to Electron's advisory on RunAsNode-related issues and a proof-of-concept repository, indicating that mitigation centers on updating to a patched Discord release that disables or restricts these Node.js integration flags.

The associated EPSS score has remained near 0.36 with only minor fluctuation between its current and peak values, providing no indication of sharply rising exploitation interest after disclosure.

EU & UK References

Vulnerability details

An issue in Discord for macOS version 0.0.291 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

discord
discord
≤ 0.0.291

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References