Arduino IDE for macOS has TCC Bypass via Dynamic Library...

4.8 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the `2.3.7 ` release.

Basic Information

ID CVE-2025-64723

Source GitHub_M

Published Dec 18, 2025 at 15:15

Affected Product

Vendor arduino

Product arduino-ide

Version < 2.3.7

Affected Versions arduino arduino-ide < 2.3.7

CWE Classification

CWE-276

References

{
    "lastseen": "",
    "description": "Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the `2.3.7 ` release.",
    "published": "2025-12-18T15:15:15.883Z",
    "modified": "2025-12-18T15:15:15.883Z",
    "type": "cve",
    "title": "Arduino IDE for macOS has TCC Bypass via Dynamic Library Injection",
    "source": "GitHub_M",
    "references": "https://github.com/arduino/arduino-ide/security/advisories/GHSA-vf5j-xhwq-8vqj\nhttps://github.com/arduino/arduino-ide/pull/2805/commits/2f7667136ee95ce07dde23c49d2de526b45e3293\nhttps://github.com/arduino/arduino-ide/releases/tag/2.3.7\nhttps://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-IDE-v2-3-7-Resolves-Multiple-Vulnerabilities",
    "id": "CVE-2025-64723",
    "bulletinFamily": "",
    "cwe": [
        "CWE-276"
    ],
    "cvelist": null,
    "sourceData": "arduino arduino-ide < 2.3.7",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "arduino-ide",
    "version": "< 2.3.7",
    "vendor": "arduino",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Arduino IDE for macOS has TCC Bypass via Dynamic Library Injection_CVE-2025-64723