TCC Bypass via Downloader XPC Service in Sparkle
CVE-2025-10015

4.8MEDIUM

Key Information:

Vendor

Sparkle Project

Status
Sparkle
Vendor
CVE Published:
16 September 2025

What is CVE-2025-10015?

The Sparkle framework includes an XPC service Downloader.xpc, by default this service is private to the application its bundled with. A local unprivileged attacker can register this XPC service globally which will inherit TCC permissions of the application. Lack of validation of connecting client allows the attacker to copy TCC-protected files to an arbitrary location. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.

This issue was fixed in version 2.7.2

Affected Version(s)

Sparkle MacOS 0 < 2.7.2

References

https://cert.pl/en/posts/2025/09/CVE-2025-10015
third-party-advisory
https://github.com/sparkle-project/Sparkle
product
https://github.com/sparkle-project/Sparkle/discussions/2764
vendor-advisory

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Karol Mazurek - Afine Team
.
CVE-2025-10015 : Local Privilege Escalation in Sparkle Framework by Catalyst Project