Signing Checks Bypass

Vulnerability

CVE-2025-0509 is a security issue in Sparkle, a software update framework for macOS, affecting versions prior to 2.6.4. The root cause is that Sparkle's update verification process does not properly isolate extracted archive contents, allowing an attacker to substitute a legitimate signed update with an arbitrary payload while bypassing the (Ed)DSA signing checks [1][2].

Exploitation

The attack is possible because the extracted update archive is placed in the same directory as the input archive file. An attacker who can perform a man-in-the-middle attack or control the update feed can replace the downloaded archive with a malicious one. Since the verification occurs on the original signed archive but the extraction uses the attacker-controlled file, the signature check is effectively bypassed [1][4]. The vulnerability does not require authentication from the victim's side, as it can be triggered by serving a crafted update feed or by intercepting network traffic [2].

Impact

An attacker exploiting this vulnerability can deliver a payload that executes arbitrary code with the privileges of the updating application. This could lead to full compromise of the affected system, including installation of malware, data exfiltration, or persistent backdoor access [1][2].

Mitigation

The issue is fixed in Sparkle version 2.6.4, released on February 4, 2025, and also backported to version 1.27.3. Users and developers are strongly advised to update their Sparkle integration to the latest patched version to prevent exploitation [1].