CVE-2025-10015

16.09.2025, 10:15

The Sparkle frameworkincludes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application.
Lack of validation of connecting client allows the attacker tocopy TCC-protected files to an arbitrary location.Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.

This issue was fixed in version 2.7.2

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
CERT-PL	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://cert.pl/en/posts/2025/09/CVE-2025-10015

https://github.com/sparkle-project/Sparkle

https://github.com/sparkle-project/Sparkle/discussions/2764