Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-24140

CVE-2025-24140: Apple macOS Information Disclosure Flaw

CVE-2025-24140 is an information disclosure vulnerability in Apple macOS where downloaded files may bypass quarantine flags, potentially exposing users to malicious content. This article covers technical details, affected versions, and patches.

Published:

CVE-2025-24140 Overview

CVE-2025-24140 is a state management flaw in Apple macOS that allows files downloaded from the internet to bypass the quarantine attribute. The quarantine flag (com.apple.quarantine) is a core component of macOS Gatekeeper, triggering signature checks and user consent prompts before executing untrusted content. When the flag is missing, downloaded files execute without the standard Gatekeeper warning dialog. Apple addressed the issue in macOS Sequoia 15.3 through improved state management. The vulnerability is classified under [CWE-276] Incorrect Default Permissions.

Critical Impact

Downloaded files may execute without Gatekeeper verification, weakening a primary macOS defense against malicious downloads and social engineering.

Affected Products

  • Apple macOS versions prior to Sequoia 15.3
  • macOS environments relying on Gatekeeper for download screening
  • Applications that inherit quarantine state from parent download processes

Discovery Timeline

  • 2025-01-27 - CVE-2025-24140 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-24140

Vulnerability Analysis

The vulnerability affects how macOS assigns the com.apple.quarantine extended attribute to files retrieved from the internet. Under normal conditions, applications registered as LSFileQuarantineEnabled attach this attribute to any file written from a remote source. The attribute instructs Gatekeeper and XProtect to inspect the file before first execution or opening.

Due to a state management defect, certain download paths fail to propagate the quarantine attribute to the resulting file. Files written through the affected code path appear identical to locally created content. Gatekeeper skips its signature validation and consent prompt when the attribute is absent.

The practical outcome is a Gatekeeper bypass. Malicious executables, disk images, or scripts delivered through affected download flows launch without the standard warning that identifies internet-sourced content. This lowers the barrier for drive-by download and social engineering attacks targeting macOS users.

Root Cause

The root cause is improper state tracking between the download initiator and the file system write operation. The process responsible for tagging files with the quarantine attribute did not consistently observe the internet-origin state, resulting in files that should have been flagged being written without the attribute.

Attack Vector

Exploitation requires an attacker to deliver a file through a download workflow that triggers the flawed state path. The user must still open the file, but they will not receive the Gatekeeper prompt that normally warns of internet-sourced binaries. No authentication or privilege is required on the target system beyond standard user interaction with downloaded content.

The vulnerability mechanism is documented in the Apple Support Article and the Full Disclosure Mailing List posting.

Detection Methods for CVE-2025-24140

Indicators of Compromise

  • Executable files, disk images, or scripts in user download directories missing the com.apple.quarantine extended attribute
  • First-run execution of downloaded binaries without corresponding Gatekeeper prompt events in system.log
  • Applications launched from ~/Downloads that have no associated LSQuarantineDataURL metadata

Detection Strategies

  • Audit files in user download paths using xattr -l and flag internet-sourced binaries lacking quarantine attributes
  • Correlate browser and messaging client download telemetry with file system events to identify missing quarantine tags
  • Deploy endpoint detection rules that inspect newly created Mach-O binaries and scripts for the absence of com.apple.quarantine

Monitoring Recommendations

  • Enable Unified Logging collection for com.apple.syspolicy and com.apple.quarantine subsystems
  • Track LaunchServices events for first-launch executions of unsigned or ad-hoc signed applications
  • Alert on execution of files from ~/Downloads, ~/Desktop, and Safari-managed paths that lack quarantine metadata

How to Mitigate CVE-2025-24140

Immediate Actions Required

  • Upgrade all affected systems to macOS Sequoia 15.3 or later, which contains the state management fix
  • Inventory endpoints running macOS versions earlier than 15.3 and prioritize patching for users who routinely download files from external sources
  • Reinforce user awareness that Gatekeeper prompts are not a comprehensive defense and unsigned binaries should be treated with suspicion

Patch Information

Apple resolved the vulnerability in macOS Sequoia 15.3 through improved state management, ensuring the quarantine attribute is consistently applied to files retrieved from network sources. Refer to the Apple Support Article for the full advisory and update instructions.

Workarounds

  • Enforce Gatekeeper in strict mode via configuration profile to require notarized applications only
  • Manually apply quarantine attributes to downloaded files using xattr -w com.apple.quarantine where automated tagging cannot be verified
  • Restrict execution from user-writable directories such as ~/Downloads using endpoint policy controls
bash
# Verify quarantine attribute on a downloaded file
xattr -l ~/Downloads/suspicious_file

# Manually apply quarantine attribute if missing
xattr -w com.apple.quarantine "0081;$(printf '%x' $(date +%s));Manual;$(uuidgen)" ~/Downloads/suspicious_file

# Confirm current macOS version meets patched baseline
sw_vers -productVersion

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.