Search criteria
2 vulnerabilities by Sparkle Project
CVE-2025-10016 (GCVE-0-2025-10016)
Vulnerability from cvelistv5 – Published: 2025-09-16 10:03 – Updated: 2025-09-16 19:27 X_Open Source
VLAI?
Title
Local Privilege Escalation in Sparkle Autoupdate Daemon
Summary
The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file by racing to connect to the daemon when other app spawns it as root. This results in local privilege escalation to root privileges. It is worth noting that it is possible to spawn Autopudate manually via Installer XPC service. However this requires the victim to enter credentials upon system authorization dialog creation that can be modified by the attacker.
This issue was fixed in version 2.7.2
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sparkle Project | Sparkle |
Affected:
0 , < 2.7.2
(semver)
|
Credits
Karol Mazurek - Afine Team
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10016",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T19:27:22.781850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T19:27:29.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "Sparkle",
"vendor": "Sparkle Project",
"versions": [
{
"lessThan": "2.7.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Karol Mazurek - Afine Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Sparkle framework includes a helper tool \u003ctt\u003eAutoupdate\u003c/tt\u003e. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file\u0026nbsp;by racing to connect to the daemon when other app spawns it as root. This results in local privilege escalation to root privileges. It is worth noting that it is possible to spawn\u0026nbsp;\u003ctt\u003eAutopudate\u003c/tt\u003e\u0026nbsp;manually via \u003ctt\u003eInstaller\u003c/tt\u003e XPC service. However this requires the victim to enter credentials upon system authorization dialog creation that can be modified by the attacker.\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 2.7.2"
}
],
"value": "The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file\u00a0by racing to connect to the daemon when other app spawns it as root. This results in local privilege escalation to root privileges. It is worth noting that it is possible to spawn\u00a0Autopudate\u00a0manually via Installer XPC service. However this requires the victim to enter credentials upon system authorization dialog creation that can be modified by the attacker.\n\nThis issue was fixed in version 2.7.2"
}
],
"impacts": [
{
"capecId": "CAPEC-233",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-233 Privilege Escalation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T10:03:28.701Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2025/09/CVE-2025-10015"
},
{
"tags": [
"product"
],
"url": "https://github.com/sparkle-project/Sparkle"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/sparkle-project/Sparkle/discussions/2764"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Local Privilege Escalation in Sparkle Autoupdate Daemon",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-10016",
"datePublished": "2025-09-16T10:03:28.701Z",
"dateReserved": "2025-09-05T09:46:13.751Z",
"dateUpdated": "2025-09-16T19:27:29.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-10015 (GCVE-0-2025-10015)
Vulnerability from cvelistv5 – Published: 2025-09-16 10:03 – Updated: 2025-09-16 19:26 X_Open Source
VLAI?
Title
TCC Bypass via Downloader XPC Service in Sparkle
Summary
The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application.
Lack of validation of connecting client allows the attacker to copy TCC-protected files to an arbitrary location. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.
This issue was fixed in version 2.7.2
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Sparkle Project | Sparkle |
Affected:
0 , < 2.7.2
(semver)
|
Credits
Karol Mazurek - Afine Team
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10015",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T19:26:51.867416Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T19:26:58.684Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"MacOS"
],
"product": "Sparkle",
"vendor": "Sparkle Project",
"versions": [
{
"lessThan": "2.7.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Karol Mazurek - Afine Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Sparkle framework\u0026nbsp;includes an XPC service \u003ctt\u003eDownloader.xpc,\u003c/tt\u003e by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. \u003cbr\u003eLack of validation of connecting client allows the attacker to\u0026nbsp;copy TCC-protected files to an arbitrary location.\u0026nbsp;Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.\u003cbr\u003e\u003cbr\u003eThis issue was fixed in version 2.7.2"
}
],
"value": "The Sparkle framework\u00a0includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. \nLack of validation of connecting client allows the attacker to\u00a0copy TCC-protected files to an arbitrary location.\u00a0Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.\n\nThis issue was fixed in version 2.7.2"
}
],
"impacts": [
{
"capecId": "CAPEC-122",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-122 Privilege Abuse"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T10:03:22.903Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2025/09/CVE-2025-10015"
},
{
"tags": [
"product"
],
"url": "https://github.com/sparkle-project/Sparkle"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/sparkle-project/Sparkle/discussions/2764"
}
],
"source": {
"discovery": "EXTERNAL"
},
"tags": [
"x_open-source"
],
"title": "TCC Bypass via Downloader XPC Service in Sparkle",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-10015",
"datePublished": "2025-09-16T10:03:22.903Z",
"dateReserved": "2025-09-05T09:41:09.869Z",
"dateUpdated": "2025-09-16T19:26:58.684Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}