CVE-2025-51387

The GitKraken Desktop 10.8.0 and 11.1.0 is susceptible to code injection due to misconfigured Electron Fuses. Specifically, the following insecure settings were observed: RunAsNode is enabled and EnableNodeCliInspectArguments is not disabled. These configurations allow the application to be executed in Node.js mode, enabling attackers to pass arguments that result in arbitrary code execution.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/r3ggi/electroniz3r	Not Applicable
https://packetstorm.news/files/id/207677	Broken Link
https://www.electronjs.org/blog/statement-run-as-node-cves#mitigation	Mitigation

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:axosoft:gitkraken_desktop:10.8.0:::::::*
	cpe:2.3:a:axosoft:gitkraken_desktop:11.1.0:::::::*

History

No history.

Information

Published : 2025-08-04 21:15

Updated : 2025-10-09 17:31

NVD link : CVE-2025-51387

Mitre link : CVE-2025-51387

CVE.ORG link : CVE-2025-51387

JSON object : View

Products Affected

axosoft

gitkraken_desktop

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2025-51387", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-08-04T21:15:30.530", "references": [{"url": "https://github.com/r3ggi/electroniz3r", "tags": ["Not Applicable"], "source": "[email protected]"}, {"url": "https://packetstorm.news/files/id/207677", "tags": ["Broken Link"], "source": "[email protected]"}, {"url": "https://www.electronjs.org/blog/statement-run-as-node-cves#mitigation", "tags": ["Mitigation"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "The GitKraken Desktop 10.8.0 and 11.1.0 is susceptible to code injection due to misconfigured Electron Fuses. Specifically, the following insecure settings were observed: RunAsNode is enabled and EnableNodeCliInspectArguments is not disabled. These configurations allow the application to be executed in Node.js mode, enabling attackers to pass arguments that result in arbitrary code execution."}, {"lang": "es", "value": "GitKraken Desktop 10.8.0 y 11.1.0 es susceptible a la inyecci\u00f3n de c\u00f3digo debido a fusibles Electron mal configurados. En concreto, se observaron las siguientes configuraciones inseguras: RunAsNode est\u00e1 habilitado y EnableNodeCliInspectArguments no est\u00e1 deshabilitado. Estas configuraciones permiten que la aplicaci\u00f3n se ejecute en modo Node.js, lo que permite a los atacantes pasar argumentos que resultan en la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "lastModified": "2025-10-09T17:31:44.337", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:axosoft:gitkraken_desktop:10.8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C2835CFA-6EA1-4222-8593-D13ECC996D09"}, {"criteria": "cpe:2.3:a:axosoft:gitkraken_desktop:11.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "77787CA3-C8A5-44CD-9366-79A05EF53E82"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}