SB2025091767 - Multiple vulnerabilities in Apple Xcode
Published: September 17, 2025 Updated: September 17, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2025-43370)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Dev Tools. A local user can pass an overly large path value to the application and perform a denial of service (DoS) attack.
2) Input validation error (CVE-ID: CVE-2025-43375)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in Dev Tools. A local user can pass an overly large path value to the application and perform a denial of service (DoS) attack.
3) CRLF injection (CVE-ID: CVE-2025-48384)
The vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to insufficient validation of attacker-supplied data when reading config values. A remote user can pass specially crafted config lines to the application containing CR-LF characters and execute arbitrary code on the system after checkout.
4) Protection Mechanism Failure (CVE-ID: CVE-2025-43263)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in IDE CoreML. A local application can read and write files outside of its sandbox.
5) Protection Mechanism Failure (CVE-ID: CVE-2025-43371)
The vulnerability allows a local application to bypass implemented security restrictions.
The vulnerability exists due to insufficient implementation of security measures in XCode. A local application can break out of its sandbox.
Remediation
Install update from vendor's website.