CVE-2025-0509

CVSS v3.1

7.3

High

Vector

AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Sparkle versions prior to 2.6.4

Description A security issue was found in Sparkle, where an attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks. This allows the attacker to potentially install malicious software.

Recommendations For versions prior to 2.6.4, update to version 2.6.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of Sparkle’s update mechanism until a patch is applied.

Fix

Files Accessible to External Parties

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-552

Related Identifiers

BDU:2025-09248

BIT-JAVA-2025-0509

BIT-JAVA-MIN-2025-0509

BIT-JRE-2025-0509

CVE-2025-0509

GHSA-WC9M-R3V6-9P5H

Affected Products

Java Platform

Sparkle

CVE-2025-0509

Weakness Enumeration

Related Identifiers

Affected Products

References · 20