CVE-2025-64724 MEDIUM

CVE-2025-64724: Arduino IDE for macOS has Insecure File Permissions

Vendor Arduino
Product arduino-ide
Weakness CWE-276
Published December 18, 2025
Last update December 18, 2025

CVSS base score

4.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Arduino IDE is an integrated development environment. Prior to version 2.3.7, Arduino IDE for macOS is installed with world-writable file permissions on sensitive application components, allowing any local user to replace legitimate files with malicious code. When another user launches the application, the malicious code executes with that user's privileges, enabling privilege escalation and unauthorized access to sensitive data. The fix is included starting from the `2.3.7` release.

Key dates

02Disclosure timeline

December 18, 2025 CVE published
December 18, 2025 Record updated