Description
This issue was addressed through improved state management. This issue is fixed in Xcode 16.3. An app may be able to overwrite arbitrary files.
Published: 2025-03-31
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Overwrite
Action: Apply Patch
AI Analysis

Impact

An application executed within Xcode can overwrite arbitrary files because the IDE does not enforce proper state boundaries, a flaw categorized as CWE‑787. This allows an attacker to replace any file accessible to the Xcode process, potentially corrupting system or application configuration and undermining integrity.

Affected Systems

Apple Xcode, versions prior to 16.3 are vulnerable; Xcode 16.3 and later contain the state‑management fix.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate severity, while the EPSS score of less than 1% shows a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require the attacker to run code inside an Xcode session, implying that the threat vector is primarily local, though a compromised developer machine could be leveraged.

Generated by OpenCVE AI on April 28, 2026 at 11:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Xcode to version 16.3 or later to apply the state‑management fix
  • Restrict write permissions on critical system and application files to limit damage from an overwrite
  • Continuously monitor file integrity logs for unexpected modifications

Generated by OpenCVE AI on April 28, 2026 at 11:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8910 This issue was addressed through improved state management. This issue is fixed in Xcode 16.3. An app may be able to overwrite arbitrary files.
History

Tue, 28 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Title Arbitrary File Overwrite Vulnerability in Xcode via Improper State Management

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Fri, 04 Apr 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple xcode
CPEs cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple xcode

Tue, 01 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description This issue was addressed through improved state management. This issue is fixed in Xcode 16.3. An app may be able to overwrite arbitrary files.
References

Subscriptions

Apple Xcode
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:18:49.719Z

Reserved: 2025-03-22T00:04:43.717Z

Link: CVE-2025-30441

cve-icon Vulnrichment

Updated: 2025-11-03T21:14:47.381Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:26.083

Modified: 2025-11-03T22:18:46.043

Link: CVE-2025-30441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T11:45:30Z

Weaknesses