CVE-2025-10016
BaseFortify
Publication date: 2025-09-16
Last updated on: 2025-09-16
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sparkle | autoupdate | 2.7.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Sparkle framework's Autoupdate helper tool. Because it does not authenticate connecting clients, a local unprivileged attacker can exploit a race condition to connect to the daemon when it is spawned as root by another application. By doing so, the attacker can request the installation of a crafted malicious PKG file, resulting in local privilege escalation to root. Although Autoupdate can be manually spawned via the Installer XPC service, this requires the victim to enter credentials in a system authorization dialog, which the attacker can modify.
How can this vulnerability impact me? :
This vulnerability can allow a local unprivileged attacker to escalate their privileges to root on the affected system. This means the attacker could gain full control over the system, potentially installing malicious software, accessing sensitive data, or modifying system configurations without authorization.
What immediate steps should I take to mitigate this vulnerability?
Update the Sparkle framework to version 2.7.2 or later, as this version contains the fix for the vulnerability. Until the update can be applied, restrict local unprivileged users from accessing or interacting with the Autoupdate helper tool or the Installer XPC service to prevent exploitation.