CVE-2025-64724
Unknown Unknown - Not Provided
World-Writable Permissions in Arduino IDE macOS Enable Privilege Escalation

Publication date: 2025-12-18

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. When another user launches the application, the malicious code executes with that user's privileges, enabling privilege escalation and unauthorized access to sensitive data. The fix is included starting from the `2.3.7` release.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64724
EUVD
EUVD-2025-204308
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
arduino arduino_ide to 2.3.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Arduino IDE for macOS versions prior to 2.3.7. The application is installed with world-writable file permissions on sensitive components, which means any local user can modify these files and replace them with malicious code. When another user runs the application, the malicious code executes with that user's privileges, potentially allowing privilege escalation and unauthorized access to sensitive data. The root cause is incorrect default permissions (CWE-276). The issue was fixed in version 2.3.7 by correcting the file permissions to prevent unauthorized modifications. [1]

Impact Analysis

This vulnerability can allow a local attacker with low privileges to escalate their privileges by injecting malicious code into the Arduino IDE application files. When another user launches the application, the malicious code runs with that user's privileges, potentially leading to unauthorized access to sensitive data. However, the impact on confidentiality and integrity is considered low, and there is no impact on availability. [1]

Detection Guidance

This vulnerability can be detected by checking for world-writable file permissions on sensitive Arduino IDE application components on macOS systems with versions prior to 2.3.7. You can use commands like `ls -l` or `find` to identify files with insecure permissions. For example, running `find /Applications/Arduino.app -perm -o=w` can list files that are world-writable within the Arduino IDE application directory. [1]

Mitigation Strategies

The immediate mitigation step is to update the Arduino IDE on macOS to version 2.3.7 or later, where the file permissions issue has been fixed to prevent unauthorized modifications. Until the update is applied, restrict local user access to the Arduino IDE application files to prevent unauthorized changes. [1]

Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64724. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart