Description
Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.217 , Tabby enables several high-risk Electron Fuses, including RunAsNode, EnableNodeCliInspectArguments, and EnableNodeOptionsEnvironmentVariable. These fuses create potential code injection vectors even though the application is signed with hardened runtime and lacks dangerous entitlements such as com.apple.security.cs.disable-library-validation and com.apple.security.cs.allow-dyld-environment-variables. This vulnerability is fixed in 1.0.217.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/Eugeny/tabby/security/advisories/GHSA-prcj-7rvc-26h4
Patch x_refsource_misc
https://github.com/Eugeny/tabby/commit/93513541f7161fa8a59491603cabb6a101c0c08e
Scores
CVSS v4
8.6
EPSS
0.0024
EPSS Percentile
46.9%
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (1)
Eugeny/tabby
< 1.0.217
Published
Jan 08, 2025
Tracked Since
Feb 18, 2026