CVE-2024-23755

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-23755
ClickUp Desktop before 3.3.77 on macOS and Windows allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://clickup.com/security/disclosures Vendor Advisory
https://clickup.com/terms/security-policy Not Applicable
https://www.electronjs.org/blog/statement-run-as-node-cves Not Applicable
https://www.electronjs.org/docs/latest/tutorial/fuses Not Applicable
https://clickup.com/security/disclosures Vendor Advisory
https://clickup.com/terms/security-policy Not Applicable
https://www.electronjs.org/blog/statement-run-as-node-cves Not Applicable
https://www.electronjs.org/docs/latest/tutorial/fuses Not Applicable
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:clickup:clickup:*:*:*:*:*:*:*:*
OR cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
History

18 Sep 2025, 16:41

Type Values Removed Values Added
First Time Microsoft windows
Apple macos
Clickup clickup
Apple
Microsoft
Clickup
CPE cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:a:clickup:clickup:*:*:*:*:*:*:*:*
References () https://clickup.com/security/disclosures - () https://clickup.com/security/disclosures - Vendor Advisory
References () https://clickup.com/terms/security-policy - () https://clickup.com/terms/security-policy - Not Applicable
References () https://www.electronjs.org/blog/statement-run-as-node-cves - () https://www.electronjs.org/blog/statement-run-as-node-cves - Not Applicable
References () https://www.electronjs.org/docs/latest/tutorial/fuses - () https://www.electronjs.org/docs/latest/tutorial/fuses - Not Applicable

21 Nov 2024, 08:58

Type Values Removed Values Added
References () https://clickup.com/security/disclosures - () https://clickup.com/security/disclosures -
References () https://clickup.com/terms/security-policy - () https://clickup.com/terms/security-policy -
References () https://www.electronjs.org/blog/statement-run-as-node-cves - () https://www.electronjs.org/blog/statement-run-as-node-cves -
References () https://www.electronjs.org/docs/latest/tutorial/fuses - () https://www.electronjs.org/docs/latest/tutorial/fuses -

16 Aug 2024, 17:35

Type Values Removed Values Added
CWE CWE-94
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8
Summary
  • (es) ClickUp Desktop anterior a 3.3.77 en macOS y Windows permite la inyección de código debido a Electron Fuses específicos. Existe una protección inadecuada contra la inyección de código a través de configuraciones como RunAsNode.

23 Mar 2024, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-03-23 22:15

Updated : 2025-09-18 16:41

NVD link : CVE-2024-23755

Mitre link : CVE-2024-23755

CVE.ORG link : CVE-2024-23755

JSON object : View

Products Affected

apple

  • macos

clickup

  • clickup

microsoft

  • windows
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')