CVE-2025-1398 — Untrusted Search Path in Desktop

CWE-426 — Untrusted Search Path4 documents4 sources

Severity

3.3LOWNVD

EPSS

0.0%

top 90.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mattermost Desktop Mattermost

Timeline

PublishedMar 17

Description

Mattermost Desktop App versions <=5.10.0 explicitly declared unnecessary macOS entitlements which allows an attacker with remote access to bypass Transparency, Consent, and Control (TCC) via code injection.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages2 packages

▶NVDmattermost/mattermost_desktop< 5.11.0

▶CVEListV5mattermost/mattermost5.10.0

🔴Vulnerability Details

GHSA

Mattermost Desktop App allows the bypass of Transparency, Consent, and Control (TCC) via code injection↗2025-03-17

▶

CVEList

macOS TCC Bypass via Code Injection↗2025-03-17

▶

OSV

Mattermost Desktop App allows the bypass of Transparency, Consent, and Control (TCC) via code injection↗2025-03-17

▶