Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Requires a low-privileged sandboxed process on the local system with no user interaction; successful escape changes scope and yields full CIA impact on the host.
Primary rating from Vendor (apple).
CVSS VectorVendor: apple
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
This issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in macOS Sequoia 15.4. An app may be able to break out of its sandbox.
AnalysisAI
Sandbox escape in Apple macOS prior to Sequoia 15.4 allows a locally installed application to break out of the App Sandbox and perform unauthorized actions outside its confinement boundary. Apple addressed the issue with improved checks; no public exploit identified at time of analysis, though SSVC rates technical impact as total.
Technical ContextAI
The flaw resides in the macOS App Sandbox, a kernel-enforced mandatory access control layer built on Apple's Seatbelt/TrustedBSD framework that restricts an application's access to files, IPC, network, and system resources via entitlement-driven profiles. The CWE-693 (Protection Mechanism Failure) classification indicates the sandbox's enforcement checks were incomplete or bypassable, allowing an in-sandbox process to reach resources its profile should have denied. The CPE cpe:2.3:a:apple:macos covers macOS broadly, with the EUVD record narrowing the affected range to all versions below 15.4.
RemediationAI
Vendor-released patch: macOS Sequoia 15.4 - upgrade affected Macs to 15.4 or later via System Settings > General > Software Update, referencing Apple's advisory at https://support.apple.com/en-us/122373. For fleets that cannot immediately upgrade, compensating controls include restricting installation of untrusted applications via Gatekeeper set to App Store only (trade-off: blocks legitimate developer-signed apps), enforcing notarization checks and removing quarantine-bypass tooling, and using MDM configuration profiles to constrain which apps can be launched (trade-off: administrative overhead and potential workflow disruption). Endpoint detection rules should watch for sandboxed processes performing unexpected filesystem, IPC, or entitlement-related operations.
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210114
GHSA-crw2-cm3v-9p9w