Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Local vector and low privileges required since exploitation depends on a locally running app with user-level access; confidentiality-only impact as no write or denial-of-service capability is described.
Primary rating from Vendor (apple).
CVSS VectorVendor: apple
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.4. An app may be able to access sensitive user data.
AnalysisAI
Path traversal in Apple macOS prior to Sequoia 15.4 allows a locally-installed application to bypass directory path restrictions and read sensitive user data outside its permitted file system scope. The flaw (CWE-22) stems from insufficient validation of directory path components in macOS path parsing logic, enabling a rogue or compromised app running with standard user privileges to traverse into restricted locations. No public exploit code has been identified and the CVE is not listed in the CISA Known Exploited Vulnerabilities catalog; SSVC assessment confirms no known active exploitation at the time of this analysis.
Technical ContextAI
The vulnerability resides in Apple's macOS directory path handling subsystem, covering all macOS releases prior to 15.4 as identified by CPE cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:*. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - 'Path Traversal') indicates that path components such as encoded traversal sequences or unnormalized segments were not properly sanitized before being resolved, allowing an application to escape its intended directory scope. Apple characterizes the fix as 'improved path validation,' meaning the corrective change was in the parsing and normalization logic rather than a permission model change. macOS features such as the App Sandbox and TCC (Transparency, Consent, and Control) framework may constrain exploitation depending on the attacking application's declared entitlements, but do not universally prevent the flaw for all app types.
RemediationAI
The primary and recommended fix is to upgrade to macOS Sequoia 15.4 or later, which incorporates Apple's improved path validation resolving this flaw. The vendor advisory at https://support.apple.com/en-us/122373 provides official guidance and update instructions. If immediate upgrade is not possible, defenders should restrict installation of untrusted third-party applications using macOS Gatekeeper (enforcing App Store or identified developer signatures), reducing the attack surface by limiting which apps can invoke the vulnerable path parsing subsystem. Additionally, reviewing and revoking broad file system access permissions for installed applications via System Settings > Privacy & Security > Files and Folders limits the practical reach of any path traversal. Note that these compensating controls reduce but do not eliminate risk, as App Sandbox bypass via traversal is precisely the class of issue this CVE describes.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210120
GHSA-p2jw-4xq4-w7vc