The Postbox's configuration on macOS, specifically the presence of entitlements: "com.apple.security.cs.allow-dyld-environment-variables" and "com.apple.security.cs.disable-library-validation" allows for Dynamic Library (Dylib) injection. A local attacker with unprivileged access can use environment variables like DYLD_INSERT_LIBRARIES to successfully inject code in application's context and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission.
The original company behind Postbox is no longer operational, the software will no longer receive updates. The acquiring company (em Client) did not cooperate in vulnerability disclosure.
CVSS
No CVSS.
References
Configurations
No configuration.
History
23 Jun 2025, 20:16
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
20 Jun 2025, 10:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-06-20 10:15
Updated : 2025-06-23 20:16
NVD link : CVE-2025-5963
Mitre link : CVE-2025-5963
CVE.ORG link : CVE-2025-5963
JSON object : View
Products Affected
No product.
CWE
CWE-276
Incorrect Default Permissions