CVE 6.9 MEDIUM

Incorrect Authorization of XPC Service in Fantastical.app_CVE-2025-8533

August 7, 2025 invoker category_cve

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

A vulnerability was identified in the XPC services of Fantastical. The services failed to implement proper client authorization checks in its listener:shouldAcceptNewConnection method, unconditionally accepting requests from any local process. As a result, any local, unprivileged process could connect to the XPC service and access its methods.

This issue has been resolved in version 4.0.16.

AI Analysis

A vulnerability in Fantastical's XPC services allows unauthorized access due to missing client authorization checks. This could permit any local process to connect and execute methods. The issue is resolved in version 4.0.16.

Basic Information

ID CVE-2025-8533

Source CERT-PL

Published Aug 7, 2025 at 09:59

Affected Product

Vendor Flexibits

Product Fantastical

Affected Versions Flexibits Fantastical 0

CWE Classification

CWE-863

AI Assessment

AI Severity Medium

Vendor Flexibits

Product Fantastical

Version 4.0.16

References

{
    "lastseen": "",
    "description": "A vulnerability was identified in the XPC services of Fantastical. The services failed to implement proper client authorization checks in its listener:shouldAcceptNewConnection method, unconditionally accepting requests from any local process. As a result, any local, unprivileged process could connect to the XPC service and access its methods.\n\n\n\n\nThis issue has been resolved in version 4.0.16.",
    "published": "2025-08-07T09:59:12.324Z",
    "modified": "2025-08-07T09:59:12.324Z",
    "type": "cve",
    "title": "Incorrect Authorization of XPC Service in Fantastical.app",
    "source": "CERT-PL",
    "references": "https://cert.pl/en/posts/2025/08/CVE-2025-8533\nhttps://flexibits.com/fantastical",
    "id": "CVE-2025-8533",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "Flexibits Fantastical 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Fantastical",
    "version": "0",
    "vendor": "Flexibits",
    "ai_description": "A vulnerability in Fantastical's XPC services allows unauthorized access due to missing client authorization checks. This could permit any local process to connect and execute methods. The issue is resolved in version 4.0.16.",
    "ai_severity": "Medium",
    "ai_vendor": "Flexibits",
    "ai_product": "Fantastical",
    "ai_version": "4.0.16",
    "ai_score": 0
}

💭 Join the Security Discussion ❌ Cancel Reply