{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-43370", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-04-16T15:24:37.114Z", "datePublished": "2025-09-15T22:34:21.797Z", "dateUpdated": "2026-04-02T18:08:15.385Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "Processing an overly large path value may crash a process"}]}], "affected": [{"vendor": "Apple", "product": "Xcode", "versions": [{"version": "0", "status": "affected", "lessThan": "26", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A path handling issue was addressed with improved validation. This issue is fixed in Xcode 26. Processing an overly large path value may crash a process."}], "references": [{"url": "https://support.apple.com/en-us/125117"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:08:15.385Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-120", "lang": "en", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-09-16T15:01:11.182130Z", "id": "CVE-2025-43370", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-16T15:02:24.169Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2025/Sep/60"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T18:12:46.055Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-43370", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-16T15:01:11.182130Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-16T15:00:54.797Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "Xcode", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "26", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/125117"}], "descriptions": [{"lang": "en", "value": "A path handling issue was addressed with improved validation. This issue is fixed in Xcode 26. Processing an overly large path value may crash a process."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Processing an overly large path value may crash a process"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2025-09-15T22:34:21.797Z"}}}, "cveMetadata": {"cveId": "CVE-2025-43370", "state": "PUBLISHED", "dateUpdated": "2025-09-16T15:02:24.169Z", "dateReserved": "2025-04-16T15:24:37.114Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2025-09-15T22:34:21.797Z", "assignerShortName": "apple"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:xcode:*:*:*:*:*:*:*:*", "matchCriteriaId": "37CC7F40-CC3A-4AEB-9260-B621FE64735A", "versionEndExcluding": "26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A path handling issue was addressed with improved validation. This issue is fixed in Xcode 26. Processing an overly large path value may crash a process."}], "id": "CVE-2025-43370", "lastModified": "2025-11-03T19:16:05.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-15T23:15:38.667", "references": [{"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/125117"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/Sep/60"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:49:48.207484+00:00", "value": {"mitigation_remediation": ["Upgrade to Xcode 26 or a later release in which the path validation bug is fixed.", "Avoid creating or opening projects or source files with unusually long directory paths in Xcode until an update is available.", "Monitor Apple support and security advisories for any additional patches or workarounds."], "summary": {"action": "Update", "impact": "Denial of Service via Crash"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Apple Xcode, with the issue fixed starting in Xcode 26. No specific release versions are listed as vulnerable, and the description does not provide additional version constraints. Systems running older Xcode versions may be susceptible.", "description_and_impact": "A path handling issue in Apple Xcode was addressed with improved validation. An overly large path value may cause the Xcode process to crash, resulting in a denial of service. The weakness involves improper bounds checking on input strings, which is identified as CWE-120.", "risk_and_exploitability": "CVSS score of 4 indicates medium severity. The EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild, and the CVE is not catalogued in CISA KEV. The attack vector appears to require local execution or manipulation of Xcode input files, so an attacker would need access to the user environment or the ability to submit large path values through Xcode interfaces."}}}}, "created": "2025-09-17T10:06:41.437083+00:00", "updated": "2026-04-28T11:00:14.128703+00:00", "vendors": ["apple", "apple$PRODUCT$xcode"]}