CVE-2025-10015

Source
https://cve.org/CVERecord?id=CVE-2025-10015
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-10015.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-10015
Published
2025-09-16T10:03:22.903Z
Modified
2026-07-15T01:49:22.492847111Z
Severity
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
TCC Bypass via Downloader XPC Service in Sparkle
Details

The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. Lack of validation of connecting client allows the attacker to copy TCC-protected files to an arbitrary location. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.

This issue was fixed in version 2.7.2

Database specific
{
    "cna_assigner": "CERT-PL",
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/10xxx/CVE-2025-10015.json"
}
References

Affected packages

Git / github.com/sparkle-project/sparkle

Affected ranges

Type
GIT
Repo
https://github.com/sparkle-project/sparkle
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.7.2"
        }
    ]
}

Affected versions

1.*
1.10.0
1.10.0rc1
1.11.0
1.11.0rc1
1.11.0rc2
1.12.0
1.12.0a1
1.12.0a2
1.12.0a3
1.14.0rc1
1.6.0
1.6.1
1.7.0
1.7.1
1.8.0
1.9.0
1.9.0rc1
2.*
2.0.0
2.0.0-beta.1
2.0.0-beta.2
2.0.0-beta.3
2.0.0-beta.4
2.0.0-beta.5
2.0.0-beta.6
2.0.0-rc.1
2.1.0
2.1.0-beta.1
2.1.0-beta.2
2.2.0
2.2.0-beta.1
2.2.0-beta.2
2.2.1
2.3.0
2.3.0-beta.1
2.3.0-beta.2
2.4.0
2.4.0-beta.1
2.4.0-beta.2
2.4.1
2.4.1-beta.1
2.4.2
2.5.0
2.5.0-beta.1
2.5.0-beta.2
2.5.1
2.6.0
2.6.0-beta.1
2.6.0-beta.2
2.6.1
2.6.2
2.7.0
2.7.0-beta.1
2.7.1
sparkle-1.*
sparkle-1.5b1
sparkle-1.5b2
sparkle-1.5b3
sparkle-1.5b4
sparkle-1.5b5
sparkle-1.5b6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-10015.json"