CVE-2025-4280: TCC Bypass via Inherited Permissions in Bundled Interpreter in Poedit.app
Description
MacOS version of Poedit bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions
granted by the user to the main application bundle. An attacker with local user access can
invoke this interpreter with arbitrary commands or scripts, leveraging the
application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Poedit, potentially disguising attacker's malicious intent.
This issue has been fixed in 3.6.3 version of Poedit.
Classification
CVE ID: CVE-2025-4280
CVSS Base Severity: MEDIUM
CVSS Base Score: 4.8
CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Problem Types
CWE-276 Incorrect Default PermissionsAffected Products
Vendor: Poedit
Product: Poedit
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.01% (probability of being exploited)
EPSS Percentile: 0.93% (scored less or equal to compared to others)
EPSS Date: 2025-06-19 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-4280https://cert.pl/posts/2025/05/CVE-2025-4280
https://cert.pl/en/posts/2025/05/CVE-2025-4280
https://poedit.net
https://github.com/vslavik/poedit
https://github.com/vslavik/poedit/security/advisories/GHSA-8fcw-v6gr-hp34