Vulnerability Description
Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. When another user launches the application, the malicious code executes with that user's privileges, enabling privilege escalation and unauthorized access to sensitive data. The fix is included starting from the `2.3.7` release.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Arduino | Arduino Ide | < 2.3.7 |
| Apple | Macos | - |
Related Weaknesses (CWE)
References
- https://github.com/arduino/arduino-ide/pull/2805/commits/5d282f38496e96dcba02818Patch
- https://github.com/arduino/arduino-ide/releases/tag/2.3.7ProductRelease Notes
- https://github.com/arduino/arduino-ide/security/advisories/GHSA-3fvj-pgqw-fgw6PatchVendor Advisory
- https://support.arduino.cc/hc/en-us/articles/24329484618652-ASEC-25-004-Arduino-Vendor Advisory
FAQ
What is CVE-2025-64724?
CVE-2025-64724 is a vulnerability with a CVSS score of 7.3 (HIGH). Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any ...
How severe is CVE-2025-64724?
CVE-2025-64724 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-64724?
Check the references section above for vendor advisories and patch information. Affected products include: Arduino Arduino Ide, Apple Macos.