Incorrect Authorization Affecting sparkle package, versions >=2.6, <2.7.2


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.13% (3rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-COCOAPODS-SPARKLE-13008224
  • published23 Sept 2025
  • disclosed16 Sept 2025
  • creditKarol Mazurek

Introduced: 16 Sep 2025

CVE-2025-10015  (opens in a new tab)
CWE-863  (opens in a new tab)

How to fix?

Upgrade sparkle to version 2.7.2 or higher.

Overview

Affected versions of this package are vulnerable to Incorrect Authorization via the Downloader.xpc service. A local unprivileged attacker can access and copy files protected by TCC permissions by registering the service globally and exploiting the lack of client validation.

##Workaround

This does not impact apps that do use the downloader service and have chosen make a custom build of Sparkle to sandbox the service (by setting a custom XPC_SERVICE_BUNDLE_ID_PREFIX and uncommenting DOWNLOADER_SANDBOXED_ENTITLEMENTS)

CVSS Base Scores

version 4.0
version 3.1