CVE-2025-54595

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-54595

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54595.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-54595

Aliases

GHSA-gr2j-65fh-8pvc

Published

2025-08-01T18:06:23.948Z

Modified

2026-04-10T05:31:56.669614Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Pearcleaner's unauthenticated access to privileged XPC helper allows root command execution

Details

Pearcleaner is a free, source-available and fair-code licensed mac app cleaner. The PearcleanerHelper is a privileged helper tool bundled with the Pearcleaner application. It is registered and activated only after the user approves a system prompt to allow privileged operations. Upon approval, the helper is configured as a LaunchDaemon and runs with root privileges. In versions 4.4.0 through 4.5.1, the helper registers an XPC service (com.alienator88.Pearcleaner.PearcleanerHelper) and accepts unauthenticated connections from any local process. It exposes a method that executes arbitrary shell commands. This allows any local unprivileged user to escalate privileges to root once the helper is approved and active. This issue is fixed in version 4.5.2.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-269",
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54595.json"
}

References

Affected packages

Git / github.com/alienator88/Pearcleaner

Affected ranges

Type

GIT

Repo

https://github.com/alienator88/Pearcleaner

Events

Introduced

2f595cc8e7a3d97c60ff7fc1f4f689265dc9e41a

Last affected

217b33a7a0f87e36ff29091647693d57448ff89e

Database specific

{
    "versions": [
        {
            "introduced": "4.4.0"
        },
        {
            "last_affected": "4.5.1"
        }
    ]
}

Type: GIT
Repo: https://github.com/alienator88/pearcleaner
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

69afadfa95791cb998118ca35c227007b230b984

Affected versions

0.*

0.0

0.5

1.*

1.0

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

2.*

2.0

2.1

2.2

2.3

2.4

2.5

2.6

2.7

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.1.1

3.2.0

3.2.1

3.3.0

3.3.1

3.3.2

3.3.3

3.3.4

3.4.0

3.4.1

3.4.2

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.7.5

3.7.6

3.7.7

3.7.8

3.8.0

3.8.1

3.8.3

3.8.5

3.8.7

3.9.0

3.9.1

3.9.3

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.1.0

4.2.0

4.2.1

4.3.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.5.0

4.5.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54595.json"