CVE-2025-64723

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-64723
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64723.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-64723
Aliases
  • GHSA-vf5j-xhwq-8vqj
Published
2025-12-18T15:15:15.883Z
Modified
2026-03-01T02:54:21.603291Z
Severity
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Arduino IDE for macOS has TCC Bypass via Dynamic Library Injection
Details

Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the 2.3.7 release.

Database specific 
{
    "cwe_ids": [
        "CWE-276"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64723.json"
}
References

Affected packages

Git / github.com/arduino/arduino-ide

Affected ranges

Type
GIT
Repo
https://github.com/arduino/arduino-ide
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2bfd24338c3c484a063fb91e6920c718a811ec0c

Affected versions

0.*
0.1.0
0.1.1
0.1.2
0.1.3
2.*
2.0.0
2.0.0-beta.1
2.0.0-beta.10
2.0.0-beta.11
2.0.0-beta.12
2.0.0-beta.2
2.0.0-beta.3
2.0.0-beta.4
2.0.0-beta.5
2.0.0-beta.6
2.0.0-beta.7
2.0.0-beta.8
2.0.0-beta.9
2.0.0-rc1
2.0.0-rc2
2.0.0-rc3
2.0.0-rc4
2.0.0-rc5
2.0.0-rc6
2.0.0-rc7
2.0.0-rc8
2.0.0-rc9
2.0.0-rc9.1
2.0.0-rc9.2
2.0.0-rc9.3
2.0.0-rc9.4
2.0.1
2.0.2
2.0.3
2.0.4
2.1.0
2.3.0
2.3.3
2.3.4
2.3.5
2.3.6
v0.*
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.1.0
v0.1.1
v0.1.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64723.json"