Privilege Escalation in Arduino IDE for macOS
CVE-2025-64724

4.8MEDIUM

Key Information:

Vendor

Arduino

Status
Arduino-ide
Vendor
CVE Published:
18 December 2025

What is CVE-2025-64724?

The Arduino IDE for macOS, before version 2.3.7, is susceptible to unauthorized file modification due to incorrect world-writable permissions on sensitive application components. This flaw allows any local user to replace legitimate application files with malicious code. When the compromised application is executed by another user, the malware runs with that user’s privileges, leading to potential privilege escalation and unauthorized access to sensitive information. Users are advised to update to version 2.3.7 or later to mitigate this risk.

Affected Version(s)

arduino-ide < 2.3.7

References

https://github.com/arduino/arduino-ide/security/advisorie...
x_refsource_CONFIRM
https://github.com/arduino/arduino-ide/pull/2805/commits/...
x_refsource_MISC
https://github.com/arduino/arduino-ide/releases/tag/2.3.7
x_refsource_MISC

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64724 : Privilege Escalation in Arduino IDE for macOS