CVE-2025-64723

Sažetak

Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the `2.3.7 ` release.

Reference

https://github.com/arduino/arduino-ide/commit/1fa0fd31c8d6b62f19332e33713a8c5b0f4ed6f9
https://github.com/arduino/arduino-ide/pull/2805
https://github.com/arduino/arduino-ide/releases/tag/2.3.7
https://github.com/arduino/arduino-ide/security/advisories/GHSA-vf5j-xhwq-8vqj
https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-IDE-v2-3-7-Resolves-Multiple-Vulnerabilities

CVSS

Base:	4.4
Impact:	2.5
Exploitability:	1.8

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
LOW	LOW	NONE

CVSS vektor

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Zadnje važnije ažuriranje

19-02-2026 - 21:22

Objavljeno

18-12-2025 - 16:15