Sparkle CVE-2026-47121
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Summary
Binary delta apply intermediate-symlink traversal in malicious .delta
Autoupdate/SUBinaryDeltaApply.m enforces relativePath.pathComponents containsObject:@".." and rejects writes whose immediate parent directory IS itself a symbolic link, but does not detect symlinks deeper in the relative path. Autoupdate/SPUSparkleDeltaArchive.m's extractItem: will create symlinks in the destination tree from archive content (no .. check on the symlink target), and a subsequent Extract item targeting <symlink>/foo/bar then escapes the destination tree via fopen(path, "wb") because the kernel resolves the intermediate symlink during the open call.
This is a defense-in-depth issue: exploitation requires a maliciously-crafted .delta that passes EdDSA signature verification, i.e. EdDSA private-key compromise. With the AppInstaller running as root for system-domain installs, it gives the holder of a stolen signing key arbitrary file write at root level via the delta-apply path, which is a strictly broader primitive than the "drop-in replacement bundle" install they would otherwise have.
Affected versions: 1.x (master branch), 2.x branch including 2.9.1.
Details
Symlink writeable from archive
Autoupdate/SPUSparkleDeltaArchive.m:557-678's extractItem: handles symlinks if the archive item carries S_ISLNK(mode):
} else {
// Link files
if (PARTIAL_IO_CHUNK_SIZE < decodedLength) { ...too long... }
if (decodedLength > PATH_MAX) { ...too long... }
char buffer[PATH_MAX + 1] = {0};
if (![self _readBuffer:buffer length:(int32_t)decodedLength]) { ... }
NSString *destinationPath = [fileManager stringWithFileSystemRepresentation:buffer length:decodedLength];
[fileManager removeItemAtPath:itemFilePath error:NULL];
NSError *createLinkError = nil;
if (![fileManager createSymbolicLinkAtPath:itemFilePath withDestinationPath:destinationPath error:&createLinkError]) {
_error = createLinkError;
return NO;
}
...
lchmod(itemFilePathString, mode);
}The link's destinationPath is taken verbatim from the archive content with only a length cap; absolute paths and .. are accepted. After this item is processed, the destination tree contains a symlink that points outside it.
Parent-symlink check is shallow
Autoupdate/SUBinaryDeltaApply.m:177-207:
[archive enumerateItems:^(SPUDeltaArchiveItem *item, BOOL *stop) {
NSString *relativePath = item.relativeFilePath;
if ([relativePath.pathComponents containsObject:@".."]) {
...reject...
}
NSString *sourceFilePath = [source stringByAppendingPathComponent:relativePath];
NSString *destinationFilePath = [destination stringByAppendingPathComponent:relativePath];
{
NSString *destinationParentDirectory = destinationFilePath.stringByDeletingLastPathComponent;
NSDictionary<NSFileAttributeKey, id> *destinationParentDirectoryAttributes = [fileManager attributesOfItemAtPath:destinationParentDirectory error:NULL];
// It is OK for the directory parent to not exist if it has already been removed
if (destinationParentDirectoryAttributes != nil) {
NSString *fileType = destinationParentDirectoryAttributes[NSFileType];
if ([fileType isEqualToString:NSFileTypeSymbolicLink]) {
...reject...
}
}
}
...
}];Two gaps:
- The check inspects only
destinationParentDirectory(one level up), not all intermediate components. For a relative patha/b/c.txt, the kernel resolves through any symlink at componenta.attributesOfItemAtPath:with the resolved path returns attributes of the resolved-through directory, which isNSFileTypeDirectory(notNSFileTypeSymbolicLink), so the check passes. - The check is skipped entirely if
destinationParentDirectoryAttributes == nil(line 195). When the symlink target is to a directory that does not contain the named subpath, the parent appears not to exist and the check is skipped. The subsequentfopen(path, "wb")then creates the file along the resolved path.
Write primitive
For an item with SPUDeltaItemCommandExtract set, SUBinaryDeltaApply.m:354-365 calls [archive extractItem:item] which goes through SPUSparkleDeltaArchive.m:574-622 for regular files:
[fileManager removeItemAtPath:itemFilePath error:NULL];
char itemFilePathString[PATH_MAX + 1] = {0};
if (![itemFilePath getFileSystemRepresentation:itemFilePathString maxLength:sizeof(itemFilePathString) - 1]) { ... }
FILE *outputFile = fopen(itemFilePathString, "wb");fopen(path, "wb") follows symlinks at every path component and creates/truncates the file at the resolved path. If <dest>/a is a symlink to /Library/LaunchDaemons (for a root install) and the relative path is a/com.attacker.plist, the call writes /Library/LaunchDaemons/com.attacker.plist.
The chmod follow-up at SUBinaryDeltaApply.m:335 (chmod(destinationFilePath.fileSystemRepresentation, sourceFileInfo.st_mode)) and SPUSparkleDeltaArchive.m:619 (chmod(itemFilePathString, mode)) likewise follows symlinks, so attacker-chosen permissions land on the attacker-chosen target.
Threat model
This primitive is reachable only when the archive can pass EdDSA signature verification, which requires either:
- The developer's private signing key has been compromised, or
- A separate vulnerability allows bypassing
SUSignatureVerifier(none was identified in this review).
Given a stolen private key, the attacker already has the ability to push a normal full-bundle update. The delta-apply traversal grants strictly more: arbitrary file write into directories outside <destination>. When the AppInstaller runs in the system domain (root), this becomes arbitrary file write as root, which is qualitatively broader than "replace the app bundle".
It is therefore worth fixing as a defense-in-depth measure, even though the prerequisite (key compromise) is itself a worst case.
PoC
The PoC requires a valid EdDSA signature on the malicious .delta archive. With a test signing key under your control (any Sparkle test fixture key), generate a delta as follows:
- Construct the archive payload with two items, in this order, using the
SPUSparkleDeltaArchivewriter (or by hand-assembling the format described inSPUSparkleDeltaArchive.mandSPUDeltaArchiveProtocol.h):
Item 1:
relativeFilePath = "Contents/Resources/escape"
commands = SPUDeltaItemCommandExtract (= 0x02)
mode = S_IFLNK | 0o755 (= 0xA1ED)
payload = "/Library/LaunchDaemons"
Item 2:
relativeFilePath = "Contents/Resources/escape/com.attacker.persistence.plist"
commands = SPUDeltaItemCommandExtract (= 0x02)
mode = S_IFREG | 0o644 (= 0x81A4)
payload = <attacker-chosen LaunchDaemon plist bytes>- Sign the archive with the test EdDSA key, publish it as a delta enclosure with matching
sparkle:edSignature, and host it from a feed pointed at by a Sparkle host whose old-bundle public key matches. - Trigger a system-domain install. The flow:
applyBinaryDeltaenumerates items.- Item 1 passes the
..check (the path components areContents,Resources,escape- no..). The parentContents/Resourcesexists in the source-copy and is a directory, not a symlink. The check passes.extractItem:forS_ISLNK(mode)callscreateSymbolicLinkAtPath:withDestinationPath:and creates<dest>/Contents/Resources/escape -> /Library/LaunchDaemons. - Item 2 passes the
..check. Its parent<dest>/Contents/Resources/escaperesolves through the just-created symlink to/Library/LaunchDaemons, whose attributes are returned asNSFileTypeDirectory(not symlink). The check passes. extractItem:forS_ISREG(mode)doesremoveItemAtPath(no-op, target file does not yet exist) thenfopen("<dest>/Contents/Resources/escape/com.attacker.persistence.plist", "wb"). The kernel resolves the symlink and creates/Library/LaunchDaemons/com.attacker.persistence.plist.- The hash check at the end of
applyBinaryDelta(getRawHashOfTreeWithVersion(afterHash, finalDestination, ...)) is computed only againstfinalDestination. The file dropped at/Library/LaunchDaemons/is outside that tree and does not affect the hash. The hash check still passes (or, if it does not because the dest tree is missing the file, the dropped LaunchDaemon plist is still left behind - destination cleanup at line 471 only removesfinalDestination, not the escape target).
- Observed result: a root-owned LaunchDaemon plist exists at
/Library/LaunchDaemons/com.attacker.persistence.plist. On next reboot it is launched as root.
A simpler proof-of-concept that does not require a system-domain install: target a user-writable directory (e.g. ~/Library/LaunchAgents/), use a user-domain Sparkle host. The same item-pair lands a user-level LaunchAgent at next login.
Impact
Defense-in-depth gap: the holder of a compromised EdDSA signing key gains a primitive (arbitrary file write at the privilege of the AppInstaller process) that exceeds what an "install a malicious bundle" path provides. For system-domain installs this is arbitrary file write as root, including locations outside the target app bundle (/Library/LaunchDaemons, /etc/... subpaths that exist as directories, /usr/local/, etc.).
Recommended fix: in SUBinaryDeltaApply.m, walk every component of relativePath and reject if any intermediate component is a symlink (or refuse to allow the archive to create symlinks during apply at all, given the limited number of legitimate use cases for symlinks inside an .app bundle and the existing lchmod already in place). Cleanup on failure should also removeTree along the symlink target, not just finalDestination.
AnalysisAI
Intermediate-symlink traversal in Sparkle's binary delta apply pipeline allows a holder of a compromised EdDSA signing key to achieve arbitrary file write at the privilege level of the AppInstaller process - root for system-domain installs. The flaw exists in SUBinaryDeltaApply.m, which only inspects the immediate parent directory for symlink status rather than all intermediate path components; a .delta archive item can first plant a symlink (e.g., pointing to /Library/LaunchDaemons) and a second item can then write through it via fopen(), which follows kernel-resolved symlinks unconditionally. A fully functional proof-of-concept demonstrating LaunchDaemon persistence installation is detailed in GHSA-hg88-v3cw-3qrh, though it requires a valid EdDSA signature, meaning public exploit utility is gated on signing key possession. No vendor-released patch has been identified at time of analysis.
Technical ContextAI
Sparkle is a widely-deployed macOS application auto-update framework (pkg:swift/github.com_sparkle-project_sparkle). Its binary delta update mechanism allows incremental app updates via .delta archives processed by SUBinaryDeltaApply.m and SPUSparkleDeltaArchive.m. CWE-22 (Path Traversal) manifests here as a shallow symlink check: the code verifies that the immediate parent of each extracted item is not a symlink, but does not recursively check every intermediate path component. Separately, extractItem: in SPUSparkleDeltaArchive.m accepts archive-supplied symlink targets verbatim (absolute paths and '..' sequences are not filtered). The combination means a .delta can plant a symlink at e.g. Contents/Resources/escape -> /Library/LaunchDaemons, and a subsequent Extract item for Contents/Resources/escape/foo.plist will pass all path checks - the intermediate directory resolves to NSFileTypeDirectory (not NSFileTypeSymbolicLink) - and fopen() will create the file at the kernel-resolved absolute path outside the destination tree. The chmod follow-up also follows symlinks, granting attacker-chosen permissions on the escaped file.
RemediationAI
No vendor-released patch has been identified at time of analysis; the fixed version field in the advisory is listed as None. The GHSA advisory at https://github.com/sparkle-project/Sparkle/security/advisories/GHSA-hg88-v3cw-3qrh recommends that SUBinaryDeltaApply.m be patched to walk every component of relativePath and reject if any intermediate component resolves to a symlink, rather than only checking the immediate parent; alternatively, prohibiting symlink creation entirely during delta apply would eliminate the attack surface. App developers integrating Sparkle should monitor the upstream repository for a patched release and update immediately when available. As an interim compensating control, operators can disable delta updates in Sparkle's configuration by removing or not hosting .delta enclosures in the appcast feed, forcing full-bundle updates only - this eliminates the vulnerable code path entirely but increases update bandwidth. Restricting the EdDSA signing key to HSM-backed storage and auditing key access logs reduces the likelihood of key compromise that would make this vulnerability exploitable.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-hg88-v3cw-3qrh