Description

Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. When another user launches the application, the malicious code executes with that user's privileges, enabling privilege escalation and unauthorized access to sensitive data. The fix is included starting from the `2.3.7` release.

Related CPE's

Could not find any relations

References

https://github.com/arduino/arduino-ide/pull/2805/commits/5d282f38496e96dcba02818536c0835bd684ec98

https://github.com/arduino/arduino-ide/releases/tag/2.3.7

https://github.com/arduino/arduino-ide/security/advisories/GHSA-3fvj-pgqw-fgw6

https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-IDE-v2-3-7-Resolves-Multiple-Vulnerabilities

Weaknesses

[email protected]

Primary
CWE-276

CVSS impact metrics

Missing metrics for CVSS V

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Awaiting analysis

Published

2025-12-18T16:15:55.623

28 hours ago

Last modified

2025-12-19T18:00:18.330

3 hours ago