CVE-2025-0509 HIGH

CVE-2025-0509: Signing Checks Bypass

Vendor Sparkle-Project
Product Sparkle
Weakness CWE-552 · Files accessible externally
Published February 4, 2025
Last update February 17, 2025

CVSS base score

7.3/10
Attack vector Adjacent
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkle’s (Ed)DSA signing checks.

Key dates

02Disclosure timeline

February 4, 2025 CVE published
February 17, 2025 Record updated