VYPR
← All advisories
Medium severityNVD Advisory· Published Aug 26, 2025· Updated Apr 15, 2026

CVE-2025-53813

CVE-2025-53813

Description

The configuration of Nozbe on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Nozbe TCC (Transparency, Consent, and Control) permissions. Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.

This issue was fixed in version 2025.11 of Nozbe.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Nozbe on macOS enables the RunAsNode fuse, letting a local attacker execute arbitrary code with the app's TCC permissions.

Vulnerability

Overview

CVE-2025-53813 affects the macOS version of Nozbe, a project management application. The vulnerability stems from the application's configuration enabling the "RunAsNode" fuse. This setting allows a local attacker with unprivileged access to execute arbitrary code that inherits Nozbe's Transparency, Consent, and Control (TCC) permissions [1][2].

Exploitation and

Attack Surface

Exploitation requires local access to the system. The attacker can run code that leverages Nozbe's existing TCC permissions, which are limited to resources the user has already granted access to. Access to additional resources would require user interaction with a system prompt [1].

Impact

A successful attack allows the attacker to access resources that the user has previously authorized Nozbe to use, such as files, camera, or microphone, without further user consent. This could lead to unauthorized data access or privacy breaches [1][2].

Mitigation

The issue has been fixed in Nozbe version 2025.11. Users are advised to update to this version or later to remediate the vulnerability [1].

References
  1. Nozbe - best project management and collaboration tool
  2. TCC Bypass vulnerabilities in six applications for MacOS

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.