CVE-2025-24268
Analyzed Analyzed - Analysis Complete

Path Traversal in macOS Sequoia

Vulnerability report for CVE-2025-24268, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-12

Assigner: Apple Inc.

Description

A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.4. An app may be able to access sensitive user data.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-12
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apple macos to 15.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a parsing issue related to the handling of directory paths in macOS Sequoia. It occurs because of insufficient validation of directory paths, which could allow an application to access sensitive user data improperly.

The issue was addressed by improving path validation in macOS Sequoia 15.4 to prevent such unauthorized access.

Impact Analysis

An application exploiting this vulnerability may be able to access sensitive user data without proper authorization.

The CVSS v3.1 base score of 5.5 indicates a moderate severity, with the attack requiring local access and low privileges but no user interaction.

  • Confidentiality impact is high, meaning sensitive information could be exposed.
  • Integrity and availability impacts are not affected.
Mitigation Strategies

The vulnerability is fixed in macOS Sequoia 15.4 by improved path validation to address the parsing issue in handling directory paths.

To mitigate this vulnerability, you should update your system to macOS Sequoia 15.4 or later.

Compliance Impact

The vulnerability allows an app to potentially access sensitive user data due to a parsing issue in directory path handling. This unauthorized access to sensitive data could impact compliance with data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

By enabling unauthorized access to sensitive user data, the vulnerability may increase the risk of data breaches or improper data handling, which are critical concerns under these regulations.

The issue was addressed with improved path validation in macOS Sequoia 15.4, which helps mitigate the risk and supports compliance efforts by reducing the chance of unauthorized data access.

Detection Guidance

This vulnerability is related to a parsing issue in the handling of directory paths on macOS Sequoia 15.4, which may allow an app to access sensitive user data.

Detection would involve verifying the macOS version running on your system to ensure it is updated to version 15.4 or later, where the issue is fixed.

There are no specific network detection commands or signatures provided for this vulnerability.

To check the macOS version, you can use the following command in the terminal:

  • sw_vers -productVersion

If the version is earlier than 15.4, the system may be vulnerable and should be updated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-24268. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart