CVE-2025-5963

Published Jun 20, 2025

Last updated 24 days ago

CVSS medium 4.8

Overview

Description
The Postbox's configuration on macOS, specifically the presence of entitlements: "com.apple.security.cs.allow-dyld-environment-variables" and "com.apple.security.cs.disable-library-validation" allows for Dynamic Library (Dylib) injection. A local attacker with unprivileged access can use environment variables like DYLD_INSERT_LIBRARIES to successfully inject code in application's context and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. The original company behind Postbox is no longer operational, the software will no longer receive updates. The acquiring company (em Client) did not cooperate in vulnerability disclosure.
Source
cvd@cert.pl
NVD status
Awaiting Analysis
CNA Tags
unsupported-when-assigned

Risk scores

CVSS 4.0

Type
Secondary
Base score
4.8
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

Weaknesses

cvd@cert.pl
CWE-276

Social media

Hype score
Not currently trending

  1. CVE-2025-5963 The Postbox's configuration on macOS, specifically the presence of entitlements: "https://t.co/bj3jxDQ3Yx.cs.allow-dyld-environment-variables" and "https://t.co/bj3jxDQ3Yx.cs.dis… https://t.co/yTBsLpNdVM

    @CVEnew

    20 Jun 2025

    399 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.