Dynamic Library Injection Vulnerability in Postbox Email Client
CVE-2025-5963

4.8MEDIUM

Key Information:

Vendor: Postbox
Status: Postbox
Vendor: CVE Published:; 20 June 2025

What is CVE-2025-5963?

The configuration of Postbox on macOS allows for Dynamic Library injection due to certain entitlements. A local attacker with unprivileged access can exploit this by utilizing environment variables like DYLD_INSERT_LIBRARIES to inject malicious code into the application's context. While the access to system resources is confined to permissions already granted by the user, any request for additional access prompts user interaction. The original developers of Postbox are no longer operational, and the acquiring company has not engaged in the necessary vulnerability disclosure process.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Postbox MacOS 7.0.65

References

https://cert.pl/en/posts/2025/06/tcc-bypass/

third-party-advisory

https://www.postbox-inc.com/

product

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jun 20, 2025
Vulnerability Reserved
Jun 10, 2025

Credit

Karol Mazurek - Afine Team

JSON

Postbox

What is CVE-2025-5963?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.