How to fix CVE-2024-7457?

Within 24 hours: Inventory all macOS systems with Stash application installed and disable or isolate the ws.stash.app.mac.daemon.helper service where operationally feasible. Within 7 days: Implement network segmentation to restrict proxy configuration changes and monitor system logs for suspicious XPC calls to the helper service. Within 30 days: Contact vendor for patch availability timeline; if unavailable within 30 days, evaluate alternative solutions or enforce mandatory uninstallation of Stash across the organization.

Is macOS affected by CVE-2024-7457?

A critical authorization flaw in macOS system daemon allows unprivileged users to modify network proxy settings without proper authentication, enabling potential man-in-the-middle attacks on organizational traffic.

CVE-2024-7457

EUVD-2024-54674 HIGH

2025-06-11 41c37e40-543d-43a2-b660-2fee83ea851a

7.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 14, 2026 - 21:09 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:09 euvd

EUVD-2024-54674

CVE Published

Jun 11, 2025 - 00:15 nvd

HIGH 7.8

Description

The ws.stash.app.mac.daemon.helper tool contains a vulnerability caused by an incorrect use of macOS’s authorization model. Instead of validating the client's authorization reference, the helper invokes AuthorizationCopyRights() using its own privileged context (root), effectively authorizing itself rather than the client. As a result, it grants the system.preferences.admin right internally, regardless of the requesting client's privileges. This flawed logic allows unprivileged clients to invoke privileged operations via XPC, including unauthorized changes to system-wide network preferences such as SOCKS, HTTP, and HTTPS proxy settings. The absence of proper code-signing checks further enables arbitrary processes to exploit this flaw, leading to man-in-the-middle (MITM) attacks through traffic redirection.

Analysis

Privilege escalation vulnerability in the ws.stash.app.mac.daemon.helper tool on macOS that allows unprivileged local users to invoke privileged operations via XPC by exploiting improper authorization validation. The helper incorrectly uses its own root context to validate authorization rather than the client's, enabling attackers to modify system-wide network proxy settings (SOCKS, HTTP, HTTPS) and perform man-in-the-middle attacks. With a CVSS score of 7.8 and low attack complexity, this vulnerability presents significant risk to macOS systems running affected versions of the Stash application.

Technical Context

The vulnerability exists in macOS privilege escalation mechanisms, specifically in how the ws.stash.app.mac.daemon.helper XPC service implements authorization checks. The root cause (CWE-863: Incorrect Authorization) stems from the helper's misuse of the macOS Authorization framework. Instead of validating the client's authorization reference via AuthorizationCopyRights() in the client's security context, the helper invokes AuthorizationCopyRights() in its own privileged (root) context, effectively performing authorization on itself rather than the requestor. This bypasses the intended authorization model where privileged operations should only be executable by authorized users. The absence of code-signing validation further compounds this issue, as any process—not just properly signed applications—can communicate with the XPC service. The vulnerability specifically allows modification of system preferences stored in the macOS network configuration subsystem, which controls proxy settings that apply system-wide to network traffic.

Affected Products

Stash application for macOS, specifically the ws.stash.app.mac.daemon.helper component. The vulnerability affects the XPC daemon helper tool bundled with the Stash application. Without CVE references providing explicit version ranges, the likely affected versions are Stash for macOS prior to a security patch release. Stash is a traffic management/proxy application commonly installed on macOS systems. The CPE for this would be approximately: cpe:2.3:a:stash:stash:*:*:*:*:*:macos:*:* (version range unspecified in available data). Users running Stash on macOS systems with standard user privileges are affected, particularly in multi-user environments or where local privilege escalation chains could be chained with this vulnerability.

Remediation

Immediate remediation requires: (1) Update the Stash application to a patched version released by the vendor that corrects the authorization validation logic. The vendor should verify authorization in the client's security context rather than the helper's privileged context, and implement proper code-signing checks to validate XPC clients. (2) If a patched version is not immediately available, disable or uninstall the Stash application until patches are released. (3) On systems where Stash must remain installed, apply the principle of least privilege—restrict user accounts to standard (non-administrator) status only when necessary, and monitor for suspicious XPC communications to the ws.stash.app.mac.daemon.helper service. (4) Monitor system proxy settings changes via audit logs to detect exploitation attempts. Check the official Stash project repository or vendor security advisories for specific patch version numbers. macOS users should enable automatic security updates and monitor for application updates from the Stash developer.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +39

POC: 0

CVE-2024-7457 vulnerability details – vuln.today

Back

CVE-2024-7457

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2024-7457

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code