CVE-2025-30450 - Vulnerability Details

- macOS Symlink Validation Flaw Allowing Unauthorized Data Access

Description

This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to access sensitive user data.

Published: 2025-03-31

Score: 5.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in macOS where symlink validation lacks proper checks (CWE-284) enables an application to read files that a user should not access, potentially exposing sensitive data.

Affected Systems

Apple devices running macOS before macOS Sequoia 15.4, macOS Sonoma 14.7.5, or macOS Ventura 13.7.5 are affected; these versions do not contain the improved symlink validation introduced in the listed releases.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate risk, while an EPSS score of less than 1% suggests a low probability of active exploitation at present and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that exploitation requires an attacker to run a malicious application locally, which can create or exploit a symlink to a protected file, thereby gaining unauthorized access to confidential data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apple

macOS

affected

Version	Status	Constraints
`0`	affected	< 13.7.5
`0`	affected	< 14.7.5
`0`	affected	< 15.4

Configuration 1 [-]

OR	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:macos::::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Install the latest macOS update—at least macOS Sequoia 15.4, macOS Sonoma 14.7.5, or macOS Ventura 13.7.5—to receive the symlink validation fix.
Review and follow Apple support articles 122373, 122374, and 122375 for detailed update procedures and verification steps.
If an immediate upgrade is not feasible, restrict execution of untrusted applications that may create symlinks to sensitive locations by using app sandboxing or stricter file‑system permissions.

Generated by OpenCVE AI on April 28, 2026 at 18:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-8914	This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access sensitive user data.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://seclists.org/fulldisclosure/2025/Apr/10
http://seclists.org/fulldisclosure/2025/Apr/8
http://seclists.org/fulldisclosure/2025/Apr/9
https://support.apple.com/en-us/122373
https://support.apple.com/en-us/122374
https://support.apple.com/en-us/122375

History

Tue, 28 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Title		macOS Symlink Validation Flaw Allowing Unauthorized Data Access

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description	This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access sensitive user data.	This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to access sensitive user data.

Mon, 03 Nov 2025 22:30:00 +0000

Type	Values Removed	Values Added
References		http://seclists.org/fulldisclosure/2025/Apr/10 http://seclists.org/fulldisclosure/2025/Apr/8 http://seclists.org/fulldisclosure/2025/Apr/9

Mon, 07 Apr 2025 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos
CPEs		cpe:2.3:o:apple:macos::::::::
Vendors & Products		Apple Apple macos

Tue, 01 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 31 Mar 2025 22:45:00 +0000

Type	Values Removed	Values Added
Description		This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access sensitive user data.
References		https://support.apple.com/en-us/122373 https://support.apple.com/en-us/122374 https://support.apple.com/en-us/122375

Subscriptions

Apple Macos

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2025-03-31T22:24:15.951Z

Updated: 2026-04-02T18:25:44.831Z

Reserved: 2025-03-22T00:04:43.720Z

Link: CVE-2025-30450

Vulnrichment

Updated: 2025-04-01T15:37:34.608Z

NVD

Status : Modified

Published: 2025-03-31T23:15:26.643

Modified: 2026-04-02T19:19:39.170

Link: CVE-2025-30450

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T19:00:20Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object