CVE-2024-23739 - Remote Code Execution in Discord for macOS (≤ ..291) Explained

Discord is a popular chat and voice app used by millions worldwide—for gaming, communities, or just hanging out with friends. But even the best apps can have security vulnerabilities. In early 2024, a serious security flaw surfaced in Discord for macOS, tracked as CVE-2024-23739. This bug allows remote attackers to execute any code they want on your computer, thanks to some misconfigured settings in the app.

This post will explain what happened, why it’s dangerous, how the exploit works, and what you can do to stay safe. Let’s dive in.

What is CVE-2024-23739?

CVE-2024-23739 affects Discord for macOS version ..291 and earlier. It all centers around how Discord sets up its internal JavaScript engine. Two settings (RunAsNode and enableNodeClilnspectArguments) were accidentally exposed or misused, opening the door for attackers.

If Discord receives a specially-made link or message, and these settings are still on, it could let hackers run any code on your Mac—just by you reading that message or clicking a link.

*That means an attacker could install malware on your computer, steal your passwords, or take over your entire system.*

How Does the Exploit Work?

Discord is built using Electron, which mixes web tech (like JavaScript and HTML) with Node.js powers. For normal safety, apps turn off most Node.js features, so a random website or message can’t mess with your computer. But by setting RunAsNode and enableNodeClilnspectArguments to true, Discord accidentally let normal JavaScript scripts act like full Node.js programs. That’s where the risk comes from.

1. Vulnerable Setting: RunAsNode

When set, Electron treats the app as a command-line Node.js process, not just a web app. That means scripts have full powers.

2. Vulnerable Setting: enableNodeClilnspectArguments

This lets someone pass extra command-line arguments to Node.js when Discord launches. An attacker can use this to, for example, tell Discord to run a file or command of their choosing.

Suppose Discord is started with these flags active. A malicious page (shared by an attacker) runs

// This code runs inside Discord, if Node.js options are enabled

const { exec } = require('child_process');

// Run a harmless example—this could be anything, like installing malware!
exec('open /Applications/Calculator.app', (error, stdout, stderr) => {
  if (error) {
    console.error(Error: ${error.message});
    return;
  }
  console.log(Result: ${stdout});
});

But of course, a real attacker would run something way worse than Calculator.

What’s the Impact?

- Anyone who tricked you into processing their link/message could run any code they want on your Mac.

Make sure your Discord for macOS is above version ..291. Later versions fix this bug.

References

- Original CVE Details
- HackerOne Report
- GitHub Electron Docs
- Discord Security Updates

Summary

CVE-2024-23739 is a serious bug that affects old versions of Discord for Mac. It makes it way too easy for attackers to run code on your machine just by sharing a crafty message or link. Don’t delay: update Discord right away and stay away from unknown content until you do.

> Stay safe, and always keep your favorite apps up to date!

Want to know more?

If you’re curious, you can read about the vulnerability on NVD and the HackerOne bug bounty report.


*This post is original content. Feel free to share with your friends to help them stay secure!*

Timeline

Published on: 01/28/2024 03:15:07 UTC
Last modified on: 02/16/2024 16:15:57 UTC