CVE-2025-54595

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-54595
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54595.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-54595
Aliases
  • GHSA-gr2j-65fh-8pvc
Published
2025-08-01T18:15:55Z
Modified
2025-08-02T12:12:26.189440Z
Summary
[none]
Details

Pearcleaner is a free, source-available and fair-code licensed mac app cleaner. The PearcleanerHelper is a privileged helper tool bundled with the Pearcleaner application. It is registered and activated only after the user approves a system prompt to allow privileged operations. Upon approval, the helper is configured as a LaunchDaemon and runs with root privileges. In versions 4.4.0 through 4.5.1, the helper registers an XPC service (com.alienator88.Pearcleaner.PearcleanerHelper) and accepts unauthenticated connections from any local process. It exposes a method that executes arbitrary shell commands. This allows any local unprivileged user to escalate privileges to root once the helper is approved and active. This issue is fixed in version 4.5.2.

References

Affected packages

Git / github.com/alienator88/pearcleaner

Affected ranges

Type
GIT
Repo
https://github.com/alienator88/pearcleaner
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
69afadfa95791cb998118ca35c227007b230b984

Affected versions

0.*

0.0
0.5

1.*

1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9

2.*

2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7

3.*

3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.2.0
3.2.1
3.3.0
3.3.1
3.3.2
3.3.3
3.3.4
3.4.0
3.4.1
3.4.2
3.5.0
3.5.1
3.5.2
3.5.3
3.5.4
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.7.5
3.7.6
3.7.7
3.7.8
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.7
3.9.0
3.9.1
3.9.2
3.9.3

4.*

4.0.0
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.1.0
4.2.0
4.2.1
4.3.0
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.5.0
4.5.1