CVE-2025-64724
World-Writable Permissions in Arduino IDE macOS Enable Privilege Escalation
Publication date: 2025-12-18
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arduino | arduino_ide | to 2.3.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Arduino IDE for macOS versions prior to 2.3.7. The application is installed with world-writable file permissions on sensitive components, which means any local user can modify these files and replace them with malicious code. When another user runs the application, the malicious code executes with that user's privileges, potentially allowing privilege escalation and unauthorized access to sensitive data. The root cause is incorrect default permissions (CWE-276). The issue was fixed in version 2.3.7 by correcting the file permissions to prevent unauthorized modifications. [1]
How can this vulnerability impact me? :
This vulnerability can allow a local attacker with low privileges to escalate their privileges by injecting malicious code into the Arduino IDE application files. When another user launches the application, the malicious code runs with that user's privileges, potentially leading to unauthorized access to sensitive data. However, the impact on confidentiality and integrity is considered low, and there is no impact on availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for world-writable file permissions on sensitive Arduino IDE application components on macOS systems with versions prior to 2.3.7. You can use commands like `ls -l` or `find` to identify files with insecure permissions. For example, running `find /Applications/Arduino.app -perm -o=w` can list files that are world-writable within the Arduino IDE application directory. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Arduino IDE on macOS to version 2.3.7 or later, where the file permissions issue has been fixed to prevent unauthorized modifications. Until the update is applied, restrict local user access to the Arduino IDE application files to prevent unauthorized changes. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.