Authorization Misconfiguration in ws.stash.app.mac.daemon.helper from STASH
CVE-2024-7457

7.8HIGH

Key Information:

Vendor: Stash
Status: Stash
Vendor: CVE Published:; 11 June 2025

What is CVE-2024-7457?

The ws.stash.app.mac.daemon.helper tool features a critical authorization misconfiguration that stems from improper usage of macOS’s authorization model. Rather than validating the client's authorization context, the helper utilizes its own elevated root privileges to execute operations. This flaw permits unprivileged clients to perform privileged tasks through XPC, such as manipulating system-wide network settings for SOCKS, HTTP, and HTTPS proxies. Additionally, inadequate code-signing verifications expose the system to exploitation, allowing malicious actors to orchestrate man-in-the-middle attacks via traffic redirection.

Affected Version(s)

Stash MacOS 0

References

https://pentraze.com/

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2025