Vulnerability Description
Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the `2.3.7 ` release.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Arduino | Arduino Ide | < 2.3.7 |
| Apple | Macos | - |
Related Weaknesses (CWE)
References
- https://github.com/arduino/arduino-ide/commit/1fa0fd31c8d6b62f19332e33713a8c5b0fPatch
- https://github.com/arduino/arduino-ide/pull/2805Issue Tracking
- https://github.com/arduino/arduino-ide/releases/tag/2.3.7ProductRelease Notes
- https://github.com/arduino/arduino-ide/security/advisories/GHSA-vf5j-xhwq-8vqjPatchVendor Advisory
- https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-Vendor Advisory
FAQ
What is CVE-2025-64723?
CVE-2025-64723 is a vulnerability with a CVSS score of 4.4 (MEDIUM). Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime...
How severe is CVE-2025-64723?
CVE-2025-64723 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-64723?
Check the references section above for vendor advisories and patch information. Affected products include: Arduino Arduino Ide, Apple Macos.