AIKIDO-2025-10630
Sparkle is vulnerable to Improper Access Control
73
High Risk
This Affects:
SparkleTL;DR
Affected versions of this package are vulnerable to local privilege escalation and access control bypass. Specifically, a flaw in the Downloader XPC Service allows attackers to bypass Transparency, Consent, and Control (TCC) protections and access restricted directories (e.g., ~/Desktop, ~/Documents, ~/Downloads). Additionally, weaknesses in the Installer XPC Service and Autoupdate tool enable attackers to escalate privileges to root by tricking users into installing malicious packages or by exploiting race conditions during update processes. These issues could allow malware running on the system to gain unauthorized access to sensitive files or execute arbitrary code with elevated privileges. The security issue was addressed in version 2.7.2, but that release introduced a potential crash. Users are advised to upgrade directly to version 2.7.3 for a stable and secure fix.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
Sparkle is vulnerable to Improper Access Control in versions 2.6.0 - 2.7.1.
How to fix this
Upgrade the Sparkle library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant