CVE-2024-23738 - Exploiting Remote Code Execution in Postman for macOS – What You Need to Know

*Posted: June 2024*


If you’ve been using *Postman* on your Mac, there’s a recent concern you should know about: CVE-2024-23738. This vulnerability claims that you could be at risk of *remote code execution* (RCE) if certain settings are enabled. While Postman's own team disputes the claim, saying the flaw does *not* allow attackers to run code remotely, community discussions about the issue keep heating up.

Let’s break the vulnerability down in simple terms, show you sample code, give you the facts, and help you decide if you should worry.

1. What Is CVE-2024-23738?

In versions 10.22 and before of *Postman* on macOS, tweaking two hidden settings supposedly makes the app launch with extra debugging features that could let a hacker run their own code on your computer.

Setting #2: enableNodeClilnspectArguments

If an attacker can modify these settings—directly, or maybe via a rogue plugin, file, or script—they could get Postman to launch additional Node.js functions under their control. According to the CVE report, that means someone could run commands on your machine with your permissions.

2. How Could Someone Exploit It?

The basic technique relies on Postman’s ability to launch in a special debug mode (“Node CLI Inspect Arguments”) if certain configuration flags are set. Here’s a step-by-step scenario based on public information and the disputed CVE writeup:

(A) What an Attacker Needs

- Access to your macOS user profile (either local or via a compromised process/plugin).
- Ability to change Postman’s config file, generally found at ~/Library/Application Support/Postman/config.json.

The attacker sets the hidden settings like this

{
  "RunAsNode": true,
  "enableNodeClilnspectArguments": "--inspect=...:9229 --eval 'require(\"child_process\").exec(\"open -a Calculator\")'"
}

*The above --eval command is for demonstration – it tries to open the Calculator app when Postman launches.*

You start Postman.

- Postman sees those settings and launches its internal Node.js process with arbitrary command-line arguments.

3. Proof-of-Concept (PoC) Example

One could try to edit the configuration file (config.json) with these values and then start Postman:

{
  "RunAsNode": true,
  "enableNodeClilnspectArguments": "--inspect=...:9229 --eval 'require(\"child_process\").exec(\"touch /tmp/pwned_by_cve_23738\")'"
}

Save and launch Postman. If the file /tmp/pwned_by_cve_23738 shows up, code was executed.

Warning: Do NOT try this on any production machine, or with important data. This is for researcher use only.

4. Vendor’s Response

According to Postman’s official statement:

> "We dispute the report's accuracy. The configuration does not enable remote code execution. This feature is not exposed or enabled by default and cannot be triggered from outside the machine…"

They argue that for an attacker to succeed, they must already have local access to your machine or your profile directory. So, in their words, it’s not a remote exploit as described in the CVE.

5. Should You Worry?

- If you don’t use weird plugins, and if you trust everyone with access to your Mac and account: this is not much of a threat.

If someone already has access to your config files, they could do *many* other nasty things anyway.

But: don’t ignore the concern. It’s always best to update your software and monitor changes, because “config-triggered RCE” bugs can be chained with other flaws in the future.

6. What Can You Do? (Mitigation)

- Update Postman: Upgrade to the latest version (above 10.22) as new releases may harden these areas.
- Audit your configs: Open ~/Library/Application Support/Postman/config.json and look for odd flags, especially RunAsNode or enableNodeClilnspectArguments.

7. References

- CVE Entry – CVE-2024-23738
- Postman Security Statement (Community)
- Security Researcher Discussion (packetstorm)

8. Final Thoughts

While CVE-2024-23738 may not be *the* devastating remote attack its title suggests, it draws attention to how *configurations* (sometimes tucked away and rarely checked) can open doors for attackers if paired with other vulnerabilities. For security, keep your systems patched, steer clear of sketchy plugins, and don’t assume “hidden” settings are always safe.

*Stay secure. Always keep an eye on your configs.*


*Written exclusively for this site. Please link back if sharing.*

Timeline

Published on: 01/28/2024 01:15:07 UTC
Last modified on: 02/26/2024 16:27:57 UTC