Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2025-10015 and CVE-2025-10016) found in Sparkle software.
Analysis Summary
## Vulnerability Summary: Sparkle Framework Local Privilege Escalation and Data Leakage
This summary outlines two related vulnerabilities reported in the Sparkle software framework by CERT Polska.
***
# Vulnerability: Sparkle Framework Local Data Exposure and Local Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2025-10015
- **CVSS Score:** Scoring not provided in the source material. (Severity pending CVSS calculation)
- **CWE:** CWE-863: Incorrect Authorization (Related to CVE-2025-10015)
- **CVE ID:** CVE-2025-10016
- **CVSS Score:** Scoring not provided in the source material. (Severity pending CVSS calculation)
- **CWE:** CWE-863: Incorrect Authorization (Related to CVE-2025-10016)
## Affected Systems
- **Products:** Sparkle Framework
- **Versions:** All versions before 2.7.2
- **Configurations:** Local attacker context is required.
## Vulnerability Description
**CVE-2025-10015 (Data Leakage via XPC Service):**
The Sparkle framework includes an XPC service named `Downloader.xpc`. By default, this service is scoped privately to the application bundling it. However, a local unprivileged attacker can register this XPC service globally. This allows the attacker's globally registered service to inherit the Transparency, Consent, and Control (TCC) permissions of the legitimate application. Lack of proper client validation enables the attacker to copy TCC-protected files to an arbitrary location. Access beyond granted permissions still requires user interaction via a system prompt.
**CVE-2025-10016 (Local Privilege Escalation):**
The Sparkle framework includes a helper tool called `Autoupdate`. Due to a lack of connection authentication in the daemon, a local unprivileged attacker can attempt to install a malicious PKG file by racing to connect to the daemon when another legitimate application spawns it as root. Successful exploitation allows the attacker to escalate privileges to root. It is also noted that the `Autoupdate` tool can potentially be spawned manually via the `Installer` XPC service, which would prompt the victim for credentials via an authorization dialog that an attacker might manipulate.
## Exploitation
- **Status:** Details on exploitation in the wild are not provided. PoC details are implied through the technical description.
- **Complexity:** Low to Medium (Requires local access, but service interaction appears straightforward).
- **Attack Vector:** Local
## Impact
*Note: Specific impact metrics (Low/High) are not provided, derived based on the flaw type.*
- **Confidentiality:** High (For CVE-2025-10015: Potential access to TCC-protected files).
- **Integrity:** High (For CVE-2025-10016: Privilege escalation to root allows system modification).
- **Availability:** Low to Medium (Depending on actions taken by the elevated process).
## Remediation
### Patches
- **CVE-2025-10015 & CVE-2025-10016:** Upgrade to **Sparkle version 2.7.2** or later.
### Workarounds
No specific workarounds are detailed in the summary, but mitigation relies on patching. If patching is immediate impossible, configuration restrictions preventing local users from registering global XPC services or strict monitoring of the `Autoupdate` tool execution could serve as temporary measures.
## Detection
- **Indicators of Compromise:**
- Unexpected global registration of the `Downloader.xpc` service.
- Unusual execution paths or file installations associated with the `Autoupdate` helper tool or the `Installer` XPC service, especially those involving root actions initiated by an unprivileged source.
- **Detection methods and tools:** Monitoring system calls related to XPC service registration and file copy operations performed by user-level Sparkle components with elevated TCC rights.
## References
- Vendor Advisory: While a direct vendor advisory link isn't present, CERT Polska coordinated the disclosure.
- Relevant links - defanged:
- hxxps://cert.pl/en/publications/
- Reference to CVE records on cve.org (CVE-2025-10015, CVE-2025-10016)