Description
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4. An app may be able to read files outside of its sandbox.
Published: 2025-03-31
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Access
Action: Patch Immediately
AI Analysis

Impact

A permissions issue in macOS allows a sandboxed application to read files outside its designated sandbox. The primary impact is the disclosure of sensitive data from files that should be inaccessible, representing a confidentiality breach due to an out‑of‑bounds read vulnerability identified as CWE‑125. The flaw was formally mitigated by adding stricter sandbox restrictions and fixed in macOS Sequoia 15.4.

Affected Systems

Apple macOS versions prior to Sequoia 15.4 are affected; macOS Sequoia 15.4 and later versions contain the fix for the sandbox permission error.

Risk and Exploitability

The CVSS score of 9.8 indicates a high severity of potential data leakage. The EPSS score of less than 1% suggests that exploitation is currently considered unlikely at scale, and the vulnerability is not listed in CISA KEV. The attack vector is inferred to be the installation or execution of a malicious or compromised application that can leverage the sandbox bypass to read forbidden files.

Generated by OpenCVE AI on April 28, 2026 at 02:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade macOS to Sequoia 15.4 or later to apply the vendor‑supplied fix
  • Ensure the system is regularly updated with the latest macOS security updates
  • Restrict installation of applications to trusted sources and monitor for unexpected file read activity

Generated by OpenCVE AI on April 28, 2026 at 02:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8904 A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4. An app may be able to read files outside of its sandbox.
History

Tue, 28 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title Sandbox Bypass Enabling Unauthorized File Read in macOS

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Fri, 04 Apr 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple macos

Tue, 01 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4. An app may be able to read files outside of its sandbox.
References

Subscriptions

Apple Macos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:15:32.698Z

Reserved: 2025-03-22T00:04:43.720Z

Link: CVE-2025-30458

cve-icon Vulnrichment

Updated: 2025-11-03T21:15:48.238Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:27.300

Modified: 2025-11-03T22:18:47.983

Link: CVE-2025-30458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T03:00:10Z

Weaknesses