CVE-2024-23739
Published: 28 January 2024
Summary
CVE-2024-23739 is a critical-severity an unspecified weakness vulnerability in Discord Discord. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-23739 is a remote code execution vulnerability affecting Discord for macOS versions 0.0.291 and earlier. It stems from the application's use of Electron's RunAsNode and enableNodeCliInspectArguments settings, which can be abused to bypass intended security controls and execute arbitrary code on the host.
Remote attackers can exploit the flaw over the network without authentication or user interaction, achieving full control over the affected system with impacts to confidentiality, integrity, and availability as reflected in its 9.8 CVSS score.
Public references point to Electron's advisory on RunAsNode-related issues and a proof-of-concept repository, indicating that mitigation centers on updating to a patched Discord release that disables or restricts these Node.js integration flags.
The associated EPSS score has remained near 0.36 with only minor fluctuation between its current and peak values, providing no indication of sharply rising exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-21195
Vulnerability details
An issue in Discord for macOS version 0.0.291 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.