CVE-2025-64723
macOS Entitlement Bypass in Arduino IDE Allows TCC Access
Publication date: 2025-12-18
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arduino | arduino_ide | to 2.3.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Arduino IDE for macOS (up to version 2.3.6) is caused by overly permissive security entitlements that bypass macOS Hardened Runtime protections. This allows attackers with local low-privilege access to inject malicious dynamic libraries into the Arduino IDE process. As a result, attackers can gain access to all Transparency, Consent, and Control (TCC) permissions granted to the application, potentially compromising confidentiality and integrity within the system. The issue is fixed in version 2.3.7 by correcting the entitlements to prevent such dynamic library injection. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with local low-privilege access to inject malicious code into the Arduino IDE process, gaining access to all TCC permissions granted to the application. This can lead to unauthorized access to sensitive data or system components controlled by these permissions, resulting in low confidentiality and integrity loss. There is no impact on system availability. The exploitation requires no user interaction and has low complexity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the version of the Arduino IDE installed on macOS systems. Versions prior to 2.3.7 are vulnerable. Additionally, inspecting the security entitlements of the Arduino IDE application for overly permissive settings that allow dynamic library injection can help detect the issue. Specific commands to check the version include running `arduino --version` or checking the application info. To inspect entitlements, you can use the macOS command `codesign -d --entitlements :- /path/to/Arduino.app`. Look for entitlements that bypass Hardened Runtime protections or allow dynamic library injection. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Arduino IDE on macOS to version 2.3.7 or later, where the security entitlements have been corrected to prevent dynamic library injection and Hardened Runtime bypass. Until the update can be applied, restrict local access to the system to trusted users only, as exploitation requires local access with low privileges. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. [1]