Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-70341

CVE-2025-70341: App-auto-patch Race Condition Vulnerability

CVE-2025-70341 is a race condition vulnerability in App-auto-patch v3.4.2 caused by insecure permissions that enable attackers to write arbitrary files. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-70341 Overview

CVE-2025-70341 is an insecure permissions vulnerability in App-Auto-Patch version 3.4.2, a macOS patch management utility distributed through the App-Auto-Patch GitHub project. The flaw introduces a race condition during script execution that allows a local attacker to write arbitrary files on the affected system. Because App-Auto-Patch operates with elevated privileges to install software updates, arbitrary file write under these conditions can lead to local privilege escalation and full host compromise. The issue is tracked under CWE-94 and has been addressed through GitHub Pull Request #202.

Critical Impact

A local, low-privileged attacker can win a race against App-Auto-Patch-via-Dialog.zsh to plant or replace files in privileged locations, resulting in arbitrary code execution as root.

Affected Products

  • App-Auto-Patch v3.4.2 (App-Auto-Patch-via-Dialog.zsh)
  • Earlier v3.x releases sharing the same insecure permission model
  • macOS endpoints managed by App-Auto-Patch prior to the PR #202 fix

Discovery Timeline

  • 2026-03-04 - CVE-2025-70341 published to NVD
  • 2026-03-05 - Last updated in NVD database

Technical Details for CVE-2025-70341

Vulnerability Analysis

App-Auto-Patch is a zsh-based macOS workflow that wraps Installomator and swiftDialog to keep third-party applications updated. The main script, App-Auto-Patch-via-Dialog.zsh, runs with root privileges and creates working directories and temporary files used to stage patch operations. In v3.4.2, those filesystem objects are created with permissive ownership or modes, leaving a window between creation and use where a local attacker can manipulate them.

The vulnerability is a classic time-of-check to time-of-use (TOCTOU) race condition combined with insecure permissions. An unprivileged local user can replace, symlink, or pre-create the staging paths the script expects to write to. When the privileged process subsequently writes data, it follows attacker-controlled paths and produces files at locations the attacker chooses. This pattern is documented in GitHub Issue #203 and the proof-of-concept material published at the CVE-2025-70341 research repository.

Root Cause

The script does not enforce safe ownership and mode bits on its working directories, nor does it use O_NOFOLLOW-style protections when writing temporary state. Because the parent directory is writable by non-root users, an attacker can pre-stage entries that the privileged process operates on, violating the trust boundary between user-controlled and root-controlled filesystem paths.

Attack Vector

Exploitation requires local access with low privileges on the macOS host but no user interaction. The attacker monitors the filesystem for the creation of App-Auto-Patch working files, then races the privileged process by inserting symbolic links or pre-created files pointing to sensitive locations such as LaunchDaemons plists, sudoers fragments, or system binaries. When App-Auto-Patch writes through the attacker-controlled path, it produces a root-owned file under attacker control, which can be leveraged to execute code as root on the next privileged trigger.

No synthetic exploitation code is reproduced here. Technical details and a proof of concept are available in the malvector/CVE-2025-70341 repository.

Detection Methods for CVE-2025-70341

Indicators of Compromise

  • Unexpected symbolic links inside App-Auto-Patch working directories such as /private/tmp/Dialog/ or /Library/Application Support/AppAutoPatch/
  • New or modified files in /Library/LaunchDaemons/ or /Library/LaunchAgents/ that coincide with App-Auto-Patch execution timestamps
  • Root-owned files created in directories that were previously user-writable
  • Unexpected child processes of App-Auto-Patch-via-Dialog.zsh spawning shells or persistence utilities

Detection Strategies

  • Hunt for file creation events where the parent process is zsh running App-Auto-Patch-via-Dialog.zsh and the target path resides outside expected staging directories.
  • Alert on ln -s or mkfifo operations against paths that App-Auto-Patch is known to consume.
  • Correlate App-Auto-Patch execution windows with new LaunchDaemon registrations or modifications to privileged scripts.

Monitoring Recommendations

  • Enable macOS Endpoint Security framework telemetry for ES_EVENT_TYPE_NOTIFY_CREATE, ES_EVENT_TYPE_NOTIFY_RENAME, and ES_EVENT_TYPE_NOTIFY_LINK events on App-Auto-Patch directories.
  • Forward unified log entries from the com.apple.install and App-Auto-Patch subsystems into a centralized log platform for retention and search.
  • Baseline normal App-Auto-Patch behavior and flag deviations in file write paths, process lineage, or runtime duration.

How to Mitigate CVE-2025-70341

Immediate Actions Required

  • Upgrade App-Auto-Patch to the version that includes the fix from PR #202.
  • Audit existing App-Auto-Patch staging directories on managed macOS hosts and remove any unexpected symlinks or pre-created files.
  • Restrict local interactive access on systems running App-Auto-Patch until patching is complete.

Patch Information

The upstream fix is delivered through App-Auto-Patch Pull Request #202, which corrects the permission handling in App-Auto-Patch-via-Dialog.zsh. Administrators should pull the latest release from the App-Auto-Patch GitHub repository and redeploy through their MDM workflow.

Workarounds

  • Disable scheduled App-Auto-Patch runs until the patched version is deployed.
  • Pre-create the App-Auto-Patch working directories with root:wheel ownership and 0700 permissions to deny non-root users write access.
  • Restrict execution of App-Auto-Patch-via-Dialog.zsh to maintenance windows under direct administrator supervision.
bash
# Configuration example: harden App-Auto-Patch working directory permissions
sudo mkdir -p "/Library/Application Support/AppAutoPatch"
sudo chown root:wheel "/Library/Application Support/AppAutoPatch"
sudo chmod 0700 "/Library/Application Support/AppAutoPatch"

# Verify no attacker-controlled symlinks remain in staging paths
sudo find "/Library/Application Support/AppAutoPatch" -type l -print
sudo find /private/tmp/Dialog -type l -print 2>/dev/null

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.