CVE-2025-22136

Tabby has a TCC Bypass via Misconfigured Node Fuses

Description

Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.217 , Tabby enables several high-risk Electron Fuses, including RunAsNode, EnableNodeCliInspectArguments, and EnableNodeOptionsEnvironmentVariable. These fuses create potential code injection vectors even though the application is signed with hardened runtime and lacks dangerous entitlements such as com.apple.security.cs.disable-library-validation and com.apple.security.cs.allow-dyld-environment-variables. This vulnerability is fixed in 1.0.217.

INFO

Published Date :

2025-01-08T16:02:01.460Z

Last Modified :

2025-01-08T19:25:39.232Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-22136 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-22136.

URL	Resource
https://github.com/Eugeny/tabby/commit/93513541f7161fa8a59491603cabb6a101c0c08e
https://github.com/Eugeny/tabby/security/advisories/GHSA-prcj-7rvc-26h4

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability