Security Flaw in Sandboxie Password Handling for Windows
CVE-2025-54422

6.9MEDIUM

Key Information:

Vendor

Sandboxie-plus

Status
Sandboxie
Vendor
CVE Published:
29 July 2025

What is CVE-2025-54422?

A significant security gap exists in Sandboxie's password handling mechanisms for Windows-based operating systems. Specifically, in versions 1.16.1 and earlier, passwords utilized for encrypted sandbox creation are transmitted via shared memory, allowing potential interception by malicious processes. During password modifications, both old and new passwords are exposed as plaintext command-line arguments to the Imbox process, lacking any form of encryption or obfuscation. This flawed implementation permits any process within the user session to access these sensitive credentials, undermining privilege requirements and posing a serious risk to user security. This issue has been addressed in version 1.16.2.

Affected Version(s)

Sandboxie < 1.16.2

References

https://github.com/sandboxie-plus/Sandboxie/security/advi...
x_refsource_CONFIRM
https://github.com/sandboxie-plus/Sandboxie/commit/d107d5...
x_refsource_MISC
https://github.com/sandboxie-plus/Sandboxie/releases/tag/...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-54422 : Security Flaw in Sandboxie Password Handling for Windows