Description
This issue was addressed with improved file handling. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to access contacts.
Published: 2025-03-31
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Read user contacts
Action: Update
AI Analysis

Impact

This vulnerability arises from inadequate file handling that permits an application to read the user’s contacts database, exposing personal data. The flaw aligns with the data‑exposure weakness CWE‑200 and does not provide remote code execution or denial of service; it simply allows an unauthorized app to access sensitive contact information.

Affected Systems

Apple macOS is affected. Versions of macOS Sequoia, Sonoma, and Ventura prior to the 15.4, 14.7.5, and 13.7.5 releases, respectively, are vulnerable. The fix is included in those patch releases, but earlier builds lack the remediation.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk. The EPSS score of less than 1 % suggests the probability of exploitation remains low, and the vulnerability is not listed in CISA’s KEV catalog. An attacker would need to deliver a malicious application and rely on local execution or a user’s approval; the attack vector is therefore inferred to be local rather than remote.

Generated by OpenCVE AI on April 28, 2026 at 02:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the macOS update that includes the fix for Sequoia 15.4, Sonoma 14.7.5, or Ventura 13.7.5.
  • In System Settings → Privacy → Contacts, review which applications have access and revoke any unnecessary permissions.
  • Monitor application activity for unexpected contact access and investigate any anomalies.

Generated by OpenCVE AI on April 28, 2026 at 02:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8935 This issue was addressed with improved file handling. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access contacts.
History

Tue, 28 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title macOS File Handling Vulnerability Allows Unprivileged App to Read User Contacts

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description This issue was addressed with improved file handling. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access contacts. This issue was addressed with improved file handling. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to access contacts.

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Tue, 08 Apr 2025 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos

Tue, 01 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 05:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed with improved file handling. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access contacts.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:24:36.472Z

Reserved: 2025-01-17T00:00:45.019Z

Link: CVE-2025-24279

cve-icon Vulnrichment

Updated: 2025-11-03T21:12:28.395Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:24.293

Modified: 2026-04-02T19:19:32.370

Link: CVE-2025-24279

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T02:30:18Z

Weaknesses