CVE-2025-61229

An issue in Shirt Pocket's SuperDuper! 3.10 and earlier allow a local attacker to modify the default task template to execute an arbitrary preflight script with root privileges and Full Disk Access, thus bypassing macOS privacy controls.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://shirt.com	Not Applicable
https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html	Product
https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_security_update_v311/	Release Notes

Configurations

Configuration 1 (hide)

cpe:2.3:a:shirt-pocket:superduper\!:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-12-01 16:15

Updated : 2025-12-08 16:15

NVD link : CVE-2025-61229

Mitre link : CVE-2025-61229

CVE.ORG link : CVE-2025-61229

JSON object : View

Products Affected

shirt-pocket

superduper\!

CWE

CWE-276

Incorrect Default Permissions

CWE-284

Improper Access Control

{"id": "CVE-2025-61229", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.5}]}, "published": "2025-12-01T16:15:55.167", "references": [{"url": "http://shirt.com", "tags": ["Not Applicable"], "source": "cve@mitre.org"}, {"url": "https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_security_update_v311/", "tags": ["Release Notes"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-276"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "An issue in Shirt Pocket's SuperDuper! 3.10 and earlier allow a local attacker to modify the default task template to execute an arbitrary preflight script with root privileges and Full Disk Access, thus bypassing macOS privacy controls."}], "lastModified": "2025-12-08T16:15:52.487", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:shirt-pocket:superduper\\!:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1DA1ADFA-22EF-48D4-B54A-B6504AC8BA04", "versionEndIncluding": "3.10"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}