Description
Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. When another user launches the application, the malicious code executes with that user's privileges, enabling privilege escalation and unauthorized access to sensitive data. The fix is included starting from the `2.3.7` release.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/arduino/arduino-ide/security/advisories/GHSA-3fvj-pgqw-fgw6
Patch x_refsource_misc
https://github.com/arduino/arduino-ide/pull/2805/commits/5d282f38496e96dcba02818536c0835bd684ec98
Release Notes x_refsource_misc
https://github.com/arduino/arduino-ide/releases/tag/2.3.7
Various Sources x_refsource_misc
https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-IDE-v2-3-7-Resolves-Multiple-Vulnerabilities
Scores
CVSS v3
7.3
EPSS
0.0010
EPSS Percentile
1.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-276
Status
published
Products (1)
arduino/arduino_ide
< 2.3.7
Published
Dec 18, 2025
Tracked Since
Feb 18, 2026