CVE-2025-31191 Overview
CVE-2025-31191 is an information disclosure vulnerability affecting multiple Apple operating systems. The flaw stems from improper state management in the handling of security-scoped bookmarks, which can be abused by a sandboxed application to access sensitive user data outside its intended permissions. Apple addressed the issue with improved state management in iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, and watchOS 11.4. Microsoft Threat Intelligence published a detailed analysis describing how the vulnerability enables a macOS sandbox escape via security-scoped bookmarks.
Critical Impact
A malicious application can escape the App Sandbox and access sensitive user data without user consent or interaction beyond launching the app.
Affected Products
- Apple iOS and iPadOS prior to 18.4
- Apple macOS Ventura prior to 13.7.5, macOS Sonoma prior to 14.7.5, and macOS Sequoia prior to 15.4
- Apple tvOS prior to 18.4 and watchOS prior to 11.4
Discovery Timeline
- 2025-03-31 - CVE-2025-31191 published to the National Vulnerability Database (NVD)
- 2025-05-01 - Microsoft publishes technical analysis of the macOS sandbox escape
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2025-31191
Vulnerability Analysis
The vulnerability resides in how Apple operating systems manage security-scoped bookmarks. Security-scoped bookmarks are persistent references that allow sandboxed applications to retain access to user-selected files and directories across launches. Improper state management in this subsystem allows an attacker-controlled app to manipulate bookmark resolution and gain access to resources it was never authorized to read.
According to Microsoft's analysis, the flaw enables a sandboxed application to escape the App Sandbox boundary entirely, reaching files protected by Transparency, Consent, and Control (TCC), such as user documents and other privacy-sensitive locations. The weakness is categorized as Exposure of Sensitive Information to an Unauthorized Actor [CWE-200].
Root Cause
The root cause is incomplete validation of bookmark state during resolution. The system trusted bookmark metadata that could be influenced by the calling process, allowing an attacker to forge or replay bookmarks pointing to arbitrary locations. Apple's fix introduces stricter state validation to ensure bookmark resolution honors the original entitlement and user grant.
Attack Vector
Exploitation requires local code execution as a sandboxed app and limited user interaction, typically launching the malicious application. Once running, the app crafts or modifies a security-scoped bookmark and invokes the resolution APIs to read files outside its sandbox container. No elevated privileges are required at the start of the chain, and the attack does not need network access. See the Microsoft Blog Analysis of CVE-2025-31191 for a full technical walkthrough.
No public proof-of-concept code is available in the enriched dataset, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-31191
Indicators of Compromise
- Sandboxed processes accessing files outside their container, such as ~/Library/Application Support/, ~/Documents/, or TCC-protected directories
- Unexpected reads of com.apple.security-scoped-bookmarks extended attributes by non-Finder processes
- Applications invoking NSURL bookmark resolution APIs with bookmarks not previously granted by the user
Detection Strategies
- Monitor Endpoint Security Framework (ESF) events ES_EVENT_TYPE_NOTIFY_OPEN and ES_EVENT_TYPE_NOTIFY_READLINK originating from sandboxed bundles accessing unrelated user data paths
- Correlate process code-signing identity and entitlements with the actual file paths accessed to surface sandbox escapes
- Baseline expected bookmark usage per application and alert on deviations such as bookmarks resolving to home-directory roots
Monitoring Recommendations
- Ingest macOS Unified Logs and ESF telemetry into a centralized analytics platform to retain bookmark resolution events
- Track installation and execution of newly signed or notarized applications that immediately access privacy-sensitive directories
- Alert on TCC database modifications or prompts that occur outside expected user workflows
How to Mitigate CVE-2025-31191
Immediate Actions Required
- Update affected devices to iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, or watchOS 11.4
- Audit installed third-party applications and remove any that are unsigned, unnotarized, or sourced outside the Mac App Store
- Review TCC permissions and revoke Full Disk Access or Files and Folders access from applications that do not require it
Patch Information
Apple released coordinated security updates across its OS lineup. Refer to the vendor advisories: Apple Security Advisory 122371, 122373, 122374, 122375, 122376, and 122377. Apple states the issue was addressed through improved state management.
Workarounds
- No official workaround exists; patching is the only supported remediation
- Restrict execution of untrusted applications using Gatekeeper policies and mobile device management (MDM) allow-listing
- Limit user accounts that hold administrative privileges to reduce blast radius if a sandboxed app is abused
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
