CVE-2025-64723 MEDIUM

CVE-2025-64723: Arduino IDE for macOS has TCC Bypass via Dynamic Library Injection

Vendor Arduino
Product arduino-ide
Weakness CWE-276
Published December 18, 2025
Last update January 14, 2026

CVSS base score

4.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS was configured with overly permissive security entitlements that could bypass macOS Hardened Runtime protections. This configuration allows attackers to inject malicious dynamic libraries into the application process, gaining access to all TCC (Transparency, Consent, and Control) permissions granted to the application. The fix is included starting from the `2.3.7 ` release.

Key dates

02Disclosure timeline

December 18, 2025 CVE published
January 14, 2026 Record updated