js · actualHeads-up
Actual macOS 25.x (Electron 39.2.7) ELECTRON_RUN_AS_NODE enabled allows arbitrary code execution
A vulnerability in Actual macOS application version 25.
What changed
A vulnerability in Actual macOS application version 25.x (Electron 39.2.7) where the ELECTRON_RUN_AS_NODE fuse is enabled, allowing arbitrary code execution.
Who it affects
Users of Actual macOS application version 25.x (Electron 39.2.7).
What to do today
Update Actual to a patched version that disables the ELECTRON_RUN_AS_NODE fuse or apply a workaround if available.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · actual