Node.js Trust Falls: Dangerous Module Resolution on Windows

The report outlines a pattern where Windows desktop apps built on Node.js/Electron can be made to execute attacker-controlled code due to missing or optional dependencies (examples include Discord, MongoDB Compass, and MongoDB Shell). It emphasizes that many vendors have declined to classify these local attack vectors as security vulnerabilities, while the issue potentially affects a broad range of Node.js-based desktop and web framework applications.