CVE-2025-7961

Vulnerability

Overview

CVE-2025-7961 describes a code injection vulnerability in Wulkano KAP versions prior to 3.6.0 on macOS. The root cause is a misconfiguration in the Node.js environment settings, which allows an attacker to inject and execute arbitrary code by manipulating the ELECTRON_RUN_AS_NODE environment variable or by using the --inspect option. This improper control of code generation bypasses the application's intended security boundaries [1].

Exploitation

An attacker with local access or the ability to influence the application's environment can exploit this flaw. By setting the ELECTRON_RUN_AS_NODE variable or enabling the --inspect flag, the attacker can execute arbitrary JavaScript code within the Electron process. No authentication is required beyond the ability to modify environment variables or command-line arguments, which may be achievable through other local exploits or social engineering [1].

Impact

Successful exploitation allows the attacker to bypass macOS's Transparency, Consent, and Control (TCC) mechanism. This enables unauthorized capture of audio or video without the user's knowledge or consent, compromising system privacy. The vulnerability is rated Medium severity due to the requirement for local access and the potential for privacy violations [1].

Mitigation

As of the advisory date, no patch is available for this vulnerability. Users are advised to monitor for updates from the vendor or consider restricting execution of KAP until a fix is released. The project is open-source and hosted on GitHub [2], but no official mitigation has been provided [1].