Description
The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file by racing to connect to the daemon when other app spawns it as root. This results in local privilege escalation to root privileges. It is worth noting that it is possible to spawn Autopudate manually via Installer XPC service. However this requires the victim to enter credentials upon system authorization dialog creation that can be modified by the attacker. This issue was fixed in version 2.7.2
References (3)
Core 3
Core References
Various Sources product
https://github.com/sparkle-project/Sparkle
Various Sources third-party-advisory
https://cert.pl/en/posts/2025/09/CVE-2025-10015
Various Sources vendor-advisory
https://github.com/sparkle-project/Sparkle/discussions/2764
Scores
CVSS v4
8.8
EPSS
0.0019
EPSS Percentile
9.1%
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (1)
Sparkle Project/Sparkle
< 2.7.2
Published
Sep 16, 2025
Tracked Since
Feb 18, 2026