Home > Vulnerability Database > CVE-2025-10016

Mend.io Vulnerability Database

CVE-2025-10016

Good to know:

Date: September 16, 2025

The Sparkle framework includes a helper tool Autoupdate. Due to lack of authentication of connecting clients a local unprivileged attacker can request installation of crafted malicious PKG file by racing to connect to the daemon when other app spawns it as root. This results in local privilege escalation to root privileges. It is worth noting that it is possible to spawn Autopudate manually via Installer XPC service. However this requires the victim to enter credentials upon system authorization dialog creation that can be modified by the attacker. This issue was fixed in version 2.7.2

Severity Score

8.8

Related Resources (5)

Url: https://github.com/sparkle-project/Sparkle

Url: https://github.com/sparkle-project/Sparkle/discussions/2764

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-10016

Url: https://cert.pl/en/posts/2025/09/CVE-2025-10015

Url: https://www.mend.io/vulnerability-database/CVE-2025-10016

Severity Score

8.8

Weakness Type (CWE)

Incorrect Authorization

CWE-863

Top Fix

Upgrade Version

Upgrade to version https://github.com/sparkle-project/Sparkle.git - 2.7.2

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-10016

Good to know:

Date: September 16, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?