Full Report
TCC Bypass vulnerability has been found in two macOS applications: Phoneix Code (CVE-2025-5255), Postbox (CVE-2025-5963).
Analysis Summary
# Vulnerability: TCC Bypass via Dylib Injection in Two macOS Applications
## CVE Details
- CVE ID: CVE-2025-5255, CVE-2025-5963
- CVSS Score: Not specified in the source (Impact assessment required)
- CWE: CWE-276 (Incorrect Default Permissions)
## Affected Systems
- **Products:**
- Phoenix Code (Vendor: Core.ai)
- Postbox (Vendor: Postbox)
- **Versions:**
- Phoenix Code: All through 4.0.3
- Postbox: 7.0.65
- **Configurations:** macOS environment where the applications possess the entitlements `com.apple.security.cs.allow-dyld-environment-variables` and `com.apple.security.cs.disable-library-validation`.
## Vulnerability Description
The applications are vulnerable to a Transparency, Consent, and Control (TCC) Bypass due to misconfigured entitlements on macOS. Specifically, the presence of `com.apple.security.cs.allow-dyld-environment-variables` and `com.apple.security.cs.disable-library-validation` allows a local, unprivileged attacker to inject a Dynamic Library (Dylib) into the application's process context using environment variables such as `DYLD_INSERT_LIBRARIES`. While exploitation is limited to resources the user has *already* granted permission for, this bypass mechanism inherently circumvents TCC restrictions for those granted permissions.
## Exploitation
- **Status:** PoC available (Implied by vulnerability mechanism; not explicitly stated as 'in the wild')
- **Complexity:** Low (Requires local access and use of standard Dylib injection techniques)
- **Attack Vector:** Local
## Impact
- **Confidentiality:** Access to previously TCC-protected resources (files, data) for which the user has already granted permission to the application.
- **Integrity:** Potential for code execution within the application's context.
- **Availability:** Low, primarily focused on data access/modification rather than denial of service.
## Remediation
### Patches
- **Phoenix Code:** Fixed in commit `0c75fb57f89d0b7d9b180026bc2624b7dcf807da` (Implies a new version is available past 4.0.3).
- **Postbox:** No official patch is expected. The original vendor is defunct, and the acquiring company (eM Client) did not cooperate in disclosure.
### Workarounds
- **For Postbox users:** Since no official patches are forthcoming, users should consider migrating to an alternative email client as the application is no longer maintained against security flaws.
## Detection
- **Indicators of Compromise:** Monitoring for environment variable manipulation (e.g., `DYLD_INSERT_LIBRARIES`) targeting the specific application executables (`Phoenix Code` or `Postbox`). Inspection of executable entitlements for suspicious signing configurations or dynamic library loading attempts during runtime.
- **Detection Methods and Tools:** Endpoint Detection and Response (EDR) solutions capable of monitoring process injection techniques and entitlement verification checks on macOS binaries.
## References
- Vendor advisories: None specified for Postbox due to non-cooperation. Phoenix Code details are implied by the commit reference.
- Relevant links - defanged:
* hXXps://www.cve.org/CVERecord?id=CVE-2025-5255
* hXXps://www.cve.org/CVERecord?id=CVE-2025-5963
* hXXps://cert.pl/en/publications/ (General link to advisories)