PT-2025-37918 · Sparkle · Sparkle
Karmaz95
·
Published
2025-09-16
·
Updated
2025-10-29
·
CVE-2025-10016
CVSS v4.0
8.8
High
| Vector | AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Sparkle versions prior to 2.7.2
Description
The Sparkle framework’s Autoupdate tool lacks authentication for connecting clients. This allows a local, unprivileged attacker to request the installation of a crafted malicious PKG file, leading to local privilege escalation to root privileges. The Autoupdate tool can be manually spawned via the Installer XPC service, but this requires the victim to enter credentials upon system authorization dialog creation, which can be modified by the attacker.
Recommendations
Upgrade to version 2.7.2.
Fix
LPE
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sparkle