Dynamic Library Injection Vulnerability in Postbox Email Client
CVE-2025-5963

4.8MEDIUM

Key Information:

Vendor: Postbox
Status: Postbox
Vendor: CVE Published:; 20 June 2025

What is CVE-2025-5963?

The configuration of Postbox on macOS allows for Dynamic Library injection due to certain entitlements. A local attacker with unprivileged access can exploit this by utilizing environment variables like DYLD_INSERT_LIBRARIES to inject malicious code into the application's context. While the access to system resources is confined to permissions already granted by the user, any request for additional access prompts user interaction. The original developers of Postbox are no longer operational, and the acquiring company has not engaged in the necessary vulnerability disclosure process.

Affected Version(s)

Postbox MacOS 7.0.65

References

https://cert.pl/en/posts/2025/06/tcc-bypass/

third-party-advisory

https://www.postbox-inc.com/

product

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 20, 2025
Vulnerability Reserved
Jun 10, 2025

Credit

Karol Mazurek - Afine Team