{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-31244", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-03-27T16:13:58.326Z", "datePublished": "2025-05-12T21:42:30.676Z", "dateUpdated": "2026-04-02T18:13:00.336Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "An app may be able to break out of its sandbox"}]}], "affected": [{"vendor": "Apple", "product": "macOS", "versions": [{"version": "0", "status": "affected", "lessThan": "15.5", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A file quarantine bypass was addressed with additional checks. This issue is fixed in macOS Sequoia 15.5. An app may be able to break out of its sandbox."}], "references": [{"url": "https://support.apple.com/en-us/122716"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:13:00.336Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-31244", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-14T04:01:11.099052Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T18:28:38.125Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2025/May/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:51:52.859Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2025/May/7"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:51:52.859Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-31244", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-14T04:01:11.099052Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-13T14:03:36.972Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "macOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "15.5", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/122716"}], "descriptions": [{"lang": "en", "value": "A file quarantine bypass was addressed with additional checks. This issue is fixed in macOS Sequoia 15.5. An app may be able to break out of its sandbox."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "An app may be able to break out of its sandbox"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2025-05-12T21:42:30.676Z"}}}, "cveMetadata": {"cveId": "CVE-2025-31244", "state": "PUBLISHED", "dateUpdated": "2026-02-26T18:28:38.125Z", "dateReserved": "2025-03-27T16:13:58.326Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2025-05-12T21:42:30.676Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF1B4AB8-2B51-4EED-BD29-C500C83FAB10", "versionEndExcluding": "15.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A file quarantine bypass was addressed with additional checks. This issue is fixed in macOS Sequoia 15.5. An app may be able to break out of its sandbox."}, {"lang": "es", "value": "Se solucion\u00f3 una omisi\u00f3n de cuarentena de archivos con comprobaciones adicionales. Este problema se solucion\u00f3 en macOS Sequoia 15.5. Una aplicaci\u00f3n podr\u00eda salir de su zona de pruebas."}], "id": "CVE-2025-31244", "lastModified": "2025-11-03T20:18:22.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-05-12T22:15:24.633", "references": [{"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/122716"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/May/7"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T01:54:31.130861+00:00", "value": {"mitigation_remediation": ["Upgrade macOS to Sequoia\u202f15.5 or later to apply the quarantine bypass fix.", "Verify that system integrity protection and the quarantine mechanism are enabled to prevent future bypass attempts.", "Limit the installation of third\u2011party applications and review App\u2011Store permissions to reduce sandbox escape opportunities."], "summary": {"action": "Patch ASAP", "impact": "Privilege Escalation via Sandbox Escape"}, "threat_synthesis": {"affected_systems": "Apple macOS, specifically versions before Sequoia\u202f15.5 are vulnerable. The fix is delivered in macOS Sequoia 15.5, so any device running an earlier release of macOS Sequoia or prior macOS iterations remains at risk.", "description_and_impact": "The vulnerability is a file quarantine bypass that allows an application to escape its macOS sandbox. By exploiting missing validation checks, a malicious app could execute code outside the sandbox boundaries, potentially accessing or modifying system files, escalating privileges, and compromising the integrity of the operating system. This flaw is categorized as CWE\u2011693, emphasizing the failure to enforce required security controls.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity, while the EPSS score of less than 1\u202f% suggests a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog, reflecting its relatively low exploitation probability. An attacker would typically need to supply a malicious application that leverages the quarantine bypass to break out of the sandbox, indicating a local or application-based attack vector."}}}}, "created": "2026-04-28T02:00:15.390391+00:00", "title": "File Quarantine Bypass Allowing Sandbox Escape in macOS", "updated": "2026-04-28T02:00:15.390401+00:00", "vendors": []}