Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

TCC Bypass vulnerabilities in two macOS applications
20 June 2025 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2025-5255
Publication date 20 June 2025
Vendor Core.ai
Product Phoenix Code
Vulnerable versions All through 4.0.3
Vulnerability type (CWE) Incorrect Default Permissions (CWE-276)
Report source Report to CERT Polska
CVE ID CVE-2025-5963
Publication date 20 June 2025
Vendor Postbox
Product Postbox
Vulnerable versions 7.0.65
Vulnerability type (CWE) Incorrect Default Permissions (CWE-276)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in Postbox software and participated in coordination of their disclosure.

The vulnerability CVE-2025-5255: The Phoenix Code's configuration on macOS, specifically the presence of entitlements: com.apple.security.cs.allow-dyld-environment-variables and com.apple.security.cs.disable-library-validation allows for Dynamic Library (Dylib) injection. A local attacker with unprivileged access can use environment variables like DYLD_INSERT_LIBRARIES to successfully inject code in application's context and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.

This issue was fixed in commit: 0c75fb57f89d0b7d9b180026bc2624b7dcf807da

The vulnerability CVE-2025-5963: The Postbox's configuration on macOS, specifically the presence of entitlements: com.apple.security.cs.allow-dyld-environment-variables and com.apple.security.cs.disable-library-validation allows for Dynamic Library (Dylib) injection. A local attacker with unprivileged access can use environment variables like DYLD_INSERT_LIBRARIES to successfully inject code in application's context and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.

The original company behind Postbox is no longer operational, the software will no longer receive updates. The acquiring company (eM Client) did not cooperate in vulnerability disclosure.

Credits

We thank Karol Mazurek - Afine Team for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.