Description
A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to access sensitive user data.
Published: 2025-11-04
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure
Action: Patch
AI Analysis

Impact

The vulnerability is a path parsing issue in macOS’s directory handling. It arises when the system fails to correctly validate directory paths supplied by an application, allowing the app to reference files outside its intended scope. This flaw, identified as CWE‑22, could enable the application to read sensitive user data stored in protected locations, thereby causing potential data exposure. Because the flaw exists in the path validation logic rather than in authentication, any application that can run on the system has the opportunity to exploit it.

Affected Systems

Apple macOS firmware, specifically versions before Sequoia 15.7.2, Sonoma 14.8.2, and Tahoe 26.1. The issue was resolved in these releases, so devices running older builds may remain vulnerable.

Risk and Exploitability

The CVSS score of 5.5 classifies it as a medium impact vulnerability. The EPSS score of less than 1% indicates a very low probability that attackers have already crafted or deployed exploits against it. Because the attack vector relies on a local application that can supply a malicious path, the exploitation window is limited to systems where an attacker can install or run a custom application. The anomaly is not recorded in the CISA KEV catalog, underscoring that widespread exploitation has not been observed.

Generated by OpenCVE AI on April 27, 2026 at 23:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update your macOS installation to the latest security updates, at least Sequoia 15.7.2, Sonoma 14.8.2, or Tahoe 26.1, which contain the path validation fix.
  • Restrict the application’s filesystem access by reviewing its sandbox permissions or running it through Gatekeeper and ensuring it cannot access sensitive directories.
  • Monitor system logs for irregular file access patterns that could indicate an attempt at unauthorized path traversal.

Generated by OpenCVE AI on April 27, 2026 at 23:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Title Directory Path Parsing Issue Leading to Potential Data Leakage

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.2, macOS Tahoe 26.1, macOS Sonoma 14.8.2. An app may be able to access sensitive user data. A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.2, macOS Sonoma 14.8.2, macOS Tahoe 26.1. An app may be able to access sensitive user data.

Wed, 17 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
Description A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. An app may be able to access sensitive user data. A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.7.2, macOS Tahoe 26.1, macOS Sonoma 14.8.2. An app may be able to access sensitive user data.
References

Tue, 04 Nov 2025 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Apple macos Sequoia
Apple macos Sonoma
Vendors & Products Apple
Apple macos
Apple macos Sequoia
Apple macos Sonoma

Tue, 04 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 01:45:00 +0000

Type Values Removed Values Added
Description A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sonoma 14.8.2, macOS Sequoia 15.7.2. An app may be able to access sensitive user data.
References

Subscriptions

Apple Macos Macos Sequoia Macos Sonoma
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:16:47.963Z

Reserved: 2025-04-16T15:24:37.116Z

Link: CVE-2025-43382

cve-icon Vulnrichment

Updated: 2025-11-04T14:38:33.043Z

cve-icon NVD

Status : Modified

Published: 2025-11-04T02:15:45.197

Modified: 2026-04-02T19:20:37.040

Link: CVE-2025-43382

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:30:15Z

Weaknesses