CVE-2025-10015

Name of the Vulnerable Software and Affected Versions Sparkle framework versions prior to 2.7.2

Description The Sparkle framework includes an XPC service, Downloader.xpc, which is, by default, private to the application it is bundled with. A local, unprivileged attacker can register this XPC service globally, inheriting the application’s TCC permissions. The lack of validation of connecting clients allows the attacker to copy TCC-protected files to an arbitrary location. Access to other resources beyond granted permissions requires user interaction with a system prompt asking for permission.

Recommendations Update to Sparkle framework version 2.7.2 or later.