CVE-2025-8672
BaseFortify
Publication date: 2025-08-11
Last updated on: 2025-09-12
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gimp | gimp | From 3.0.2 (inc) |
| apple | macos | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-8672 is a vulnerability in the MacOS version of the GIMP application where the bundled Python interpreter inherits the Transparency, Consent, and Control (TCC) permissions granted to the main GIMP application. This allows an attacker with local user access to execute arbitrary commands or scripts through the interpreter, leveraging GIMP's previously granted TCC permissions to access files in privacy-protected folders without triggering user consent prompts. If the attacker tries to access resources beyond those permissions, the system prompts the user for approval under the GIMP application's name, potentially misleading the user about the source of the request. The issue has been fixed in GIMP version 3.1.4.2. [1]
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to access your files in privacy-protected folders without your knowledge or consent by exploiting the TCC permissions granted to GIMP. It can lead to unauthorized access to sensitive data and potentially allow malicious scripts or commands to run with the permissions of the GIMP application, bypassing normal macOS privacy protections. Additionally, if the attacker tries to access resources beyond those permissions, the user may be tricked into approving requests thinking they come from GIMP, increasing the risk of further compromise. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve identifying applications bundled within others and verifying digital signatures for mismatches that indicate exploitation. Specifically, on macOS systems, the command-line tool `mdfind` can be used to locate installed donor applications with screen capture or other TCC permissions, which may be exploited. For example, running `mdfind kMDItemAppStoreHasReceipt=1` or searching for suspicious nested applications within trusted app bundles can help. Additionally, monitoring for unusual AppleScript applications like `avatarde.app` inside trusted app bundles (e.g., Zoom) and checking their Info.plist for `LSUIElement` set to true can indicate compromise. Using Jamf Protect or similar endpoint detection tools that verify app bundle integrity and digital signatures is recommended. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the GIMP application to version 3.1.4.2 or later, where this vulnerability has been fixed. Additionally, users should update their macOS to the latest version (macOS 11.4 or later) to benefit from Apple's patches addressing similar TCC bypass issues. Avoid running untrusted scripts or applications, especially those that may bundle interpreters inheriting TCC permissions. Employ endpoint protection solutions like Jamf Protect to detect and block suspicious app bundles and unauthorized code injections. [1, 2]