CVE-2025-51387

CRITICAL

GitKraken Desktop 10.8.0-11.1.0 - Code Injection

Title source: llm

Description

The GitKraken Desktop 10.8.0 and 11.1.0 is susceptible to code injection due to misconfigured Electron Fuses. Specifically, the following insecure settings were observed: RunAsNode is enabled and EnableNodeCliInspectArguments is not disabled. These configurations allow the application to be executed in Node.js mode, enabling attackers to pass arguments that result in arbitrary code execution.

References (3)

Core 3

Core References

Not Applicable

https://github.com/r3ggi/electroniz3r

View Writeup ZIP pw:eip

Broken Link

https://packetstorm.news/files/id/207677

Mitigation

https://www.electronjs.org/blog/statement-run-as-node-cves#mitigation

Scores

CVSS v3 9.8

EPSS 0.0052

EPSS Percentile 40.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-94

Status published

Products (2)

axosoft/gitkraken_desktop 10.8.0

axosoft/gitkraken_desktop 11.1.0

Published Aug 04, 2025

Tracked Since Feb 18, 2026