A critical security vulnerability in macOS has been discovered, allowing malicious actors to bypass the App Sandbox protection. Tracked as CVE-2025-31191, the vulnerability exploits the security-scoped bookmarks system, which manages persistent access to user-selected files for sandboxed apps. Attackers can manipulate these bookmarks to delete and replace keychain entries, breaking the fundamental security boundaries of macOS. This flaw enables attackers to compromise sensitive files and escalate privileges, threatening the integrity of the system.
The vulnerability lies within how macOS handles security-scoped bookmarks, which are used to provide sandboxed applications persistent access to user-selected files outside the app’s container. These bookmarks are protected by cryptographic tokens signed using HMAC-SHA256, ensuring the security of the files. However, researchers found a weakness in the keychain protection mechanism. Although Apple restricted reading access to certain keychain items, the deletion and replacement of these items were not adequately prevented, allowing attackers to exploit this gap.
Once attackers have access to the system, they can delete the legitimate signing secret used for the ScopedBookmarkAgent. They can then insert a new secret with a permissive ACL, which grants broader access to files without user consent. This action allows attackers to craft malicious bookmarks and inject them into the securebookmarks.plist file, which is later validated by the ScopedBookmarkAgent. This bypasses the sandbox protection and grants unauthorized access to sensitive system files, enabling further exploitation or data theft.
Apple has addressed the issue in security updates for affected systems, including macOS Ventura, macOS Sequoia, macOS Sonoma, and iOS versions. The vulnerability is rated as having a medium risk (CVSS 5.5) due to its requirement for initial code execution within a sandboxed app. Users are urged to update their systems immediately. Additionally, Microsoft Defender for Endpoint can detect suspicious keychain manipulation attempts, providing an extra layer of defense.
