CVE-2025-9474 in Party
Summary
by MITRE • 08/26/2025
A vulnerability was detected in Mihomo Party up to 1.8.1 on macOS. Affected is the function enableSysProxy of the file src/main/sys/sysproxy.ts of the component Socket Handler. The manipulation results in creation of temporary file with insecure permissions. The attack requires a local approach. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit is now public and may be used.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 08/26/2025
CVE-2025-9474 represents a critical security flaw in Mihomo Party version 1.8.1 and earlier on macOS systems, specifically within the Socket Handler component's sysproxy.ts file. This vulnerability manifests through the enableSysProxy function which creates temporary files with insecure permissions, creating a persistent security risk for affected systems. The issue stems from improper handling of temporary file creation processes that fail to establish appropriate access controls, potentially allowing unauthorized users or processes to manipulate or access sensitive system resources. The vulnerability requires local system access for exploitation, making it a privilege escalation concern rather than a remote attack vector, though this does not diminish its potential impact on system integrity and security posture.
The technical implementation of this flaw involves the creation of temporary files without proper permission settings, which violates fundamental security principles for temporary file handling. According to CWE standards, this vulnerability aligns with CWE-377: Insecure Temporary File and CWE-732: Incorrect Permission Assignment for Critical Resource, both of which emphasize the importance of proper file permission management during temporary file creation. The insecure permissions typically manifest as overly permissive file modes that allow unauthorized users to read, write, or execute temporary files, potentially enabling privilege escalation attacks or information disclosure scenarios. The high complexity required for exploitation suggests that attackers must possess local system access and demonstrate technical proficiency in leveraging the temporary file vulnerability.
From an operational perspective, this vulnerability poses significant risks to macOS systems running affected versions of Mihomo Party, particularly in environments where multiple users share systems or where security isolation is critical. The potential impact includes unauthorized system modifications, privilege escalation to administrative levels, and possible data compromise through temporary file manipulation. Attackers could exploit this weakness to inject malicious code into system processes, modify network proxy configurations, or establish persistent access points within the system. The fact that exploitation is characterized as difficult but possible indicates that while the attack requires specific conditions and technical knowledge, the vulnerability remains a viable threat vector for determined adversaries.
The public availability of exploits for this vulnerability significantly increases the risk profile, as it removes the requirement for advanced technical skills or extensive reconnaissance. Security practitioners should consider this vulnerability in the context of ATT&CK framework, particularly under techniques related to privilege escalation and persistence. The vulnerability's impact extends beyond immediate system compromise to potentially affect network security controls and monitoring systems that rely on proper proxy configuration. Organizations should prioritize immediate remediation through version updates, implement proper file permission monitoring, and conduct security assessments to identify any potential exploitation attempts. The temporary file creation issue also highlights the need for comprehensive security controls around system-level operations and proper sandboxing of applications that interact with system proxy configurations.