CVE-2025-70342
Credential Exposure via Hardcoded Path in erase-install's swiftDialog
Publication date: 2026-03-04
Last updated on: 2026-03-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grahampugh | erase-install | to 41.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70342 is a vulnerability in the erase-install script used on Apple Silicon Macs (versions up to 40.4) that allows local unprivileged attackers to intercept administrator credentials during reinstall or erase operations.
The issue arises because the script writes swiftDialog credential output (username and password) to a hardcoded, predictable, and world-writable file path: /var/tmp/dialog.json. The script does not verify if this path has been tampered with before writing.
An attacker can exploit this by creating a named pipe (FIFO) or a symlink at /var/tmp/dialog.json pointing to a FIFO they control. When the admin enters credentials during the erase-install process, these credentials are written through the symlink or FIFO, allowing the attacker to capture them in real time.
This attack requires only low privileges, no special timing or race conditions, and only the admin entering credentials.
The vulnerability was fixed by replacing the hardcoded path with a randomly generated temporary filename using mktemp, preventing path prediction and symlink attacks.
How can this vulnerability impact me? :
This vulnerability can lead to the disclosure of administrator credentials during reinstall or erase operations on Apple Silicon Macs.
An attacker with local unprivileged access can intercept these credentials by exploiting the predictable file path used by the erase-install script.
Compromise of administrator credentials can lead to unauthorized system access, privilege escalation, and potential full system compromise.
Because the attack requires only low privileges and no complex conditions, it poses a high confidentiality and integrity risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the file /var/tmp/dialog.json exists as a named pipe (FIFO) or a symlink pointing to a FIFO or other suspicious location. An attacker exploits the vulnerability by creating a named pipe or symlink at this predictable path to intercept credentials.
Suggested commands to detect potential exploitation or presence of the vulnerability include:
- Check if /var/tmp/dialog.json is a named pipe or symlink: ls -l /var/tmp/dialog.json
- Verify the file type: file /var/tmp/dialog.json
- Check for suspicious FIFOs in /var/tmp or /tmp: find /var/tmp /tmp -type p
- Monitor for unexpected reads or writes to /var/tmp/dialog.json or related FIFOs.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves upgrading the erase-install script to version 40.5 or later, which contains the fix that replaces the hardcoded credential output path with a securely generated temporary file name using mktemp.
Until the upgrade can be applied, you should ensure that /var/tmp/dialog.json does not exist as a named pipe or symlink and restrict write permissions to /var/tmp to prevent unprivileged users from creating such files.
Additional steps include monitoring and removing any suspicious FIFOs or symlinks at /var/tmp/dialog.json and educating administrators to be aware of this vulnerability when running erase-install with --erase or --reinstall options.