Description

Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the `2.3.7 ` release.

Related CPE's

Could not find any relations

References

https://github.com/arduino/arduino-ide/pull/2805/commits/2f7667136ee95ce07dde23c49d2de526b45e3293

https://github.com/arduino/arduino-ide/releases/tag/2.3.7

https://github.com/arduino/arduino-ide/security/advisories/GHSA-vf5j-xhwq-8vqj

https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-IDE-v2-3-7-Resolves-Multiple-Vulnerabilities

Weaknesses

[email protected]

Primary
CWE-276

CVSS impact metrics

Missing metrics for CVSS V

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Awaiting analysis

Published

2025-12-18T16:15:55.470

28 hours ago

Last modified

2025-12-19T18:00:18.330

3 hours ago