High severityOSV Advisory· Published Jan 8, 2025· Updated Apr 15, 2026

CVE-2025-22136

Description

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.217 , Tabby enables several high-risk Electron Fuses, including RunAsNode, EnableNodeCliInspectArguments, and EnableNodeOptionsEnvironmentVariable. These fuses create potential code injection vectors even though the application is signed with hardened runtime and lacks dangerous entitlements such as com.apple.security.cs.disable-library-validation and com.apple.security.cs.allow-dyld-environment-variables. This vulnerability is fixed in 1.0.217.

Affected products

Eugeny/TabbyOSV2 versions
v0.0.1, v1.0.0-alpha.1, v1.0.0-alpha.10, …+ 1 more
- (no CPE)range: v0.0.1, v1.0.0-alpha.1, v1.0.0-alpha.10, …
- (no CPE)range: < 1.0.217

Patches

c43ee28a0ccb

https://github.com/Eugeny/tabbyvia osv

commit

93513541f716

https://github.com/Eugeny/tabbyvia osv

commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000