CVE-2025-53811

Vulnerability

Description

Mosh-Pro for macOS (version 1.3.2 and possibly earlier) ships with the Electron RunAsNode fuse enabled. This configuration flaw means that the Electron helper process can be spawned without proper sandboxing, allowing a local attacker who has already achieved unprivileged code execution to run arbitrary commands that inherit Mosh-Pro's existing Transparency, Consent, and Control (TCC) permissions [1][2]. The root cause is classified as an Incorrect Default Permissions (CWE-276) [2].

Exploitation

Prerequisites

Exploitation requires the attacker to already have unprivileged local access to the victim's macOS system. No additional authentication is needed because the attacker can run code in the context of the Mosh-Pro application. The attack surface is the RunAsNode fuse: when enabled, the Node.js child process does not enforce macOS hard runtime restrictions, so the attacker's payload runs with the same TCC entitlements that the user previously granted to Mosh-Pro [2].

Impact

A successful attacker gains the ability to access any resource that the user has already explicitly permitted Mosh-Pro to use—for example, the camera, microphone, files, or screen recording. Any attempt to access a resource not yet approved will trigger a TCC prompt that appears to come from Mosh-Pro, thereby deceiving the user into granting additional permissions to what is actually the attacker's code [1]. This can lead to a gradual compromise of the user's private data.

Mitigation

Status

The vendor (Mosh-Pro) did not respond to the CNA's outreach, so the patching status is unknown [2]. Users should consider revoking unnecessary TCC permissions from Mosh-Pro and monitor for any vendor update that disables the RunAsNode fuse.