Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Local app execution with low user privileges is required; only confidentiality is impacted as the flaw enables read-only access to protected data via symlink following.
Primary rating from Vendor (apple).
CVSS VectorVendor: apple
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.4. An app may be able to access protected user data.
AnalysisAI
Improper symlink resolution in Apple macOS prior to Sequoia 15.4 allows a locally-executing app with standard user privileges to access protected user data that would ordinarily be restricted by macOS privacy controls such as TCC (Transparency, Consent, and Control). Rooted in CWE-59, the flaw enables a malicious app to craft or exploit symbolic links to bypass the OS file-access boundary and read sensitive user data without authorization. No public exploit has been identified at time of analysis, and CISA's SSVC framework rates exploitation as none with partial technical impact.
Technical ContextAI
CWE-59 ('Improper Link Resolution Before File Access - Link Following') describes a class of vulnerability in which a program follows a symbolic link to an unintended filesystem location before adequately validating the resolved target against applicable access controls. In the macOS context, the OS enforces per-app data access restrictions through TCC and sandbox entitlements; a symlink-following flaw can allow a crafted app to redirect a file operation through a symlink into a protected directory (e.g., ~/Library/AddressBook, Photos library, or calendar data) without triggering the expected permission gate. The affected product is Apple macOS, identified by CPE cpe:2.3:a:apple:macos:*:*:*:*:*:*:*:*, covering all macOS versions before 15.4 (Sequoia). Apple addressed the root cause by improving symlink handling in the OS.
RemediationAI
Vendor-released patch: macOS Sequoia 15.4. Update via System Settings → General → Software Update or through Apple's advisory at https://support.apple.com/en-us/122373. Users on macOS Ventura or Sonoma who cannot upgrade to Sequoia should restrict app installation exclusively to the Mac App Store (System Settings → Privacy & Security → App Store only), which reduces the attack surface by limiting the delivery of untrusted local apps capable of exploiting this flaw - though this does not eliminate the underlying vulnerability. Additionally, auditing TCC privacy permissions granted to installed apps (System Settings → Privacy & Security) and revoking unnecessary access may limit the scope of data reachable through a symlink bypass. No workarounds are specified by Apple in the advisory.
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210118
GHSA-2jc2-r9gv-gx5x