CVE-2025-5255
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
20/06/2025
Last modified:
23/06/2025
Description
The Phoenix Code&#39;s configuration on macOS, specifically the presence of entitlements: "com.apple.security.cs.allow-dyld-environment-variables" and "com.apple.security.cs.disable-library-validation" allows for Dynamic Library (Dylib) injection. A local attacker with unprivileged access can use environment variables like DYLD_INSERT_LIBRARIES to successfully inject code in application&#39;s context and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.<br />
<br />
This issue was fixed in commit 0c75fb57f89d0b7d9b180026bc2624b7dcf807da
Impact
Base Score 4.0
4.80
Severity 4.0
MEDIUM