CVE-2025-24100 in macOSinfo

Summary

by MITRE • 01/28/2025

A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to access information about a user's contacts.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 04/08/2026

This vulnerability represents a logic flaw in apple's operating system that allowed unauthorized access to user contact information through application-level mechanisms. The issue stems from insufficient restrictions within the system's privacy controls, creating a potential pathway for malicious applications to bypass normal access controls and retrieve sensitive contact data without proper user consent or authorization. The vulnerability affects multiple versions of macos including sequoia 15.3, sonoma 14.7.3, and ventura 13.7.3, indicating a widespread concern across the operating system's privacy protection mechanisms.

The technical nature of this flaw falls under the category of privilege escalation and information disclosure vulnerabilities, where an application that should not have access to contact information can potentially retrieve such data through improper validation of access requests. This type of vulnerability directly impacts the core privacy protections that macos implements to safeguard user personal information, creating a scenario where applications might exploit system logic gaps to access data they should not be able to obtain. The issue is classified as a logic issue according to cwe taxonomy, specifically relating to improper restriction of operations within a recognized security context.

The operational impact of this vulnerability extends beyond simple data exposure, as it represents a fundamental weakness in the system's ability to enforce access controls for sensitive user information. Attackers could potentially develop applications that leverage this logic flaw to harvest contact lists, potentially enabling social engineering attacks, identity theft, or other malicious activities that rely on access to personal contact information. The vulnerability undermines user trust in the operating system's privacy protections and could allow for targeted attacks against specific individuals based on their contact relationships.

The fix implemented by apple addresses this issue through enhanced restrictions that properly validate application access requests and enforce stricter boundaries around contact information access. This remediation aligns with security best practices outlined in the attack framework, particularly focusing on preventing unauthorized access to sensitive data through proper access control mechanisms. Users should immediately update to the patched versions to ensure their contact information remains protected, as the vulnerability represents a significant risk to personal privacy and data security. The fix demonstrates apple's commitment to addressing privacy concerns through systematic improvements to their security architecture and access control implementations.

Responsible

Apple

Reservation

01/17/2025

Disclosure

01/28/2025

Moderation

accepted

CPE

ready

EPSS

0.00241

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!