Skip to content

RED-174764: electron run as node #5376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pd-redis wants to merge 2 commits into
base: main
Choose a base branch
from
Open

RED-174764: electron run as node #5376

pd-redis wants to merge 2 commits into from
+44 −0

Conversation

@pd-redis
Copy link
Contributor

@pd-redis pd-redis commented Jan 9, 2026
edited by cursor bot
Loading

What

Disables the ELECTRON_RUN_AS_NODE fuse to prevent sandbox bypass attacks reported in RED-174764

When ELECTRON_RUN_AS_NODE=1 environment variable is set, an attacker with local access could run arbitrary JavaScript using the signed RedisInsight binary, bypassing Electron's sandbox and security controls.

This fix adds an afterPack hook to electron-builder that flips the RunAsNode fuse to false during the build process, following Electron's security recommendations.

Before After
ELECTRON_RUN_AS_NODE=1 "Redis Insight" -e 'console.log("executed")' runs arbitrary JS Environment variable is ignored, app exits normally

Testing

  1. Build the app using CI or locally with yarn package:prod
  2. Download/locate the built binary
  3. Verify fuses are correctly set: npx @electron/fuses read --app "./Redis Insight.app"
npx @electron/fuses read --app /Applications/Redis\ Insight.app
Analyzing app: Redis Insight 2.app
Fuse Version: v1
  RunAsNode is Disabled
  EnableCookieEncryption is Disabled
  EnableNodeOptionsEnvironmentVariable is Enabled
  EnableNodeCliInspectArguments is Enabled
  EnableEmbeddedAsarIntegrityValidation is Disabled
  OnlyLoadAppFromAsar is Disabled
  LoadBrowserProcessSpecificV8Snapshot is Disabled
  GrantFileProtocolExtraPrivileges is Enabled
  1. Test the original exploit no longer works:
    • app should show normal UI
      # macOS ELECTRON_RUN_AS_NODE=1 "./Redis Insight.app/Contents/MacOS/Redis Insight" -e 'console.log("VULNERABLE")' # Should NOT print "VULNERABLE"
  2. Verify the app still launches and functions normally

Note

Hardens the packaged app by flipping Electron fuses during build to block node execution via environment variable.

  • Adds scripts/afterPack.js that uses @electron/fuses to set FuseV1Options.RunAsNode=false on the packaged binary across macOS/Windows/Linux
  • Wires the hook in electron-builder.json via afterPack

Written by Cursor Bugbot for commit 9fce0a9. This will update automatically on new commits. Configure here.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 9, 2026

Code Coverage - Frontend unit tests

St.
 Category Percentage Covered / Total
🟢 Statements 82.83% 21092/25463
🟡 Branches 68.04% 8880/13051
🟡 Functions 78.01% 5780/7409
🟢 Lines 83.24% 20660/24820

Test suite run success

5487 tests passing in 704 suites.

Report generated by 🧪jest coverage report action from 9fce0a9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@valkirilov valkirilov valkirilov approved these changes

@pawelangelow pawelangelow pawelangelow approved these changes

@KrumTy KrumTy Awaiting requested review from KrumTy KrumTy is a code owner

@dantovska dantovska Awaiting requested review from dantovska dantovska is a code owner

@ArtemHoruzhenko ArtemHoruzhenko Awaiting requested review from ArtemHoruzhenko ArtemHoruzhenko is a code owner

@DimoHG DimoHG Awaiting requested review from DimoHG DimoHG is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pd-redis @valkirilov @pawelangelow