CVE-2025-24268

Vulnerability

A parsing issue exists in the handling of directory paths in macOS Sequoia, specifically in versions prior to 15.4. The bug resides in the path validation logic, which fails to properly restrict directory traversal or symbolic link resolution, potentially allowing an app to read files outside its sandbox. Affected versions are all macOS Sequoia builds before 15.4.

Exploitation

An attacker would need to run a malicious app on the target system, either as a user-installed application or via another compromise. No special network position or additional user interaction beyond launching the app is required. The app can craft a directory path that bypasses the flawed validation, enabling access to protected directories.

Impact

Successful exploitation allows the malicious app to read sensitive user data, such as documents, configuration files, or other private information stored on the device. This violates the sandbox restrictions and can lead to confidentiality breaches.

Mitigation

The issue is fixed in macOS Sequoia 15.4, released on March 31, 2025, as documented in Apple's security advisory [1]. Users should update to this version or later via Software Update or Apple's support site. No workarounds are provided for earlier versions; updating is the only mitigation.