Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Lifecycle Timeline
6DescriptionCVE.org
This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.6. An app may be able to break out of its sandbox.
AnalysisAI
Sandbox escape in macOS Sequoia prior to 15.6 allows local applications with low privileges to break containment via symlink manipulation, potentially accessing restricted system resources and user data. Apple resolved this via improved symlink handling in macOS 15.6. CVSS score of 8.7 reflects high confidentiality and integrity impact with scope change. No public exploit identified at time of analysis, though SSVC framework indicates partial technical impact with no current exploitation evidence.
Technical ContextAI
This vulnerability stems from improper handling of symbolic links (CWE-59: Improper Link Resolution Before File Access), commonly known as a symlink following or time-of-check-time-of-use vulnerability. macOS employs App Sandbox as a mandatory access control mechanism to restrict application capabilities and file system access. Applications with low privileges (PR:L in CVSS vector) can craft malicious symlinks that, when resolved by the operating system, redirect file operations outside the intended sandbox boundary. The vulnerability affects macOS Sequoia versions prior to 15.6, as indicated by CPE string cpe:2.3:a:apple:macos and EUVD affected version range. Symlink vulnerabilities in sandboxed environments are particularly critical because they undermine the fundamental security architecture separating untrusted applications from sensitive system resources, enabling privilege escalation and unauthorized data access across security domains.
RemediationAI
Update macOS Sequoia to version 15.6 or later, which contains improved symlink handling mechanisms that prevent sandbox escape. Apple released this security update as documented in HT124149 security advisory at https://support.apple.com/en-us/124149. Users should apply updates through System Settings > General > Software Update or via enterprise deployment tools for managed environments. No workarounds are available for this vulnerability; patching to version 15.6 is the only effective remediation. Organizations should prioritize deployment to systems running untrusted or third-party applications where sandbox integrity is critical for security posture. Verify successful update by confirming macOS version 15.6 or higher in About This Mac system information.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209197
GHSA-56pf-93rp-5vq3