CVE-2025-22165: Security Misconfiguration in Atlassian Sourcetree for Mac
This Medium severity ACE (Arbitrary Code Execution) vulnerability was introduced in version 4.2.8 of Sourcetree for Mac. This ACE (Arbitrary Code Execution) vulnerability, with a CVSS Score of 5.9, allows a locally authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Sourcetree for Mac users upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://www.sourcetreeapp.com/download-archives . You can download the latest version of Sourcetree for Mac from the download center https://www.sourcetreeapp.com/download-archives . This vulnerability was found through the Atlassian Bug Bounty Program by Karol Mazurek (AFINE).
AI Analysis
Technical Summary
CVE-2025-22165 is a security misconfiguration vulnerability in Atlassian Sourcetree for Mac, specifically affecting versions 4.2.8 through 4.2.11 inclusive. This vulnerability allows a locally authenticated attacker to execute arbitrary code on the affected system. The vulnerability is classified as an Arbitrary Code Execution (ACE) flaw, which means that an attacker who has local access and some level of authentication can exploit the vulnerability to run malicious code with the privileges of the user running Sourcetree. The CVSS 4.0 base score is 5.9, indicating a medium severity level. The vector string (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:H/SI:H/SA:L) reveals that the attack requires local access (AV:L), low attack complexity (AC:L), partial attack type (AT:P), low privileges (PR:L), and user interaction (UI:P). The vulnerability impacts confidentiality, integrity, and availability at a high level, meaning that successful exploitation could lead to significant data compromise, unauthorized modifications, or service disruption. The vulnerability stems from a security misconfiguration, categorized under CWE-269 (Improper Privilege Management), which suggests that the application improperly manages permissions or security settings, enabling escalation or unauthorized code execution. Although no known exploits are currently reported in the wild, the presence of this vulnerability in a widely used development tool like Sourcetree for Mac poses a tangible risk, especially in environments where developers use this tool extensively. Atlassian recommends upgrading to the latest fixed versions to remediate the issue. The vulnerability was responsibly disclosed via Atlassian's Bug Bounty Program by researcher Karol Mazurek (AFINE).
Potential Impact
For European organizations, the impact of CVE-2025-22165 can be significant, particularly for software development teams relying on Sourcetree for Mac as part of their version control workflows. Since the vulnerability allows arbitrary code execution with user-level privileges, an attacker who gains local access could execute malicious payloads, potentially leading to data theft, injection of malicious code into source repositories, or disruption of development processes. This could compromise the integrity of software builds and the confidentiality of proprietary code. Additionally, if exploited in environments where Sourcetree is used on shared or less secure machines, the risk of lateral movement or further compromise increases. The requirement for local authentication and user interaction somewhat limits remote exploitation but does not eliminate risk, especially in scenarios involving social engineering or insider threats. Given the high impact on confidentiality, integrity, and availability, organizations with stringent compliance requirements (e.g., GDPR) must consider this vulnerability seriously to avoid regulatory penalties and reputational damage.
Mitigation Recommendations
1. Immediate upgrade: Organizations should prioritize upgrading all instances of Sourcetree for Mac to the latest version beyond 4.2.11, as Atlassian has released fixed versions addressing this vulnerability. 2. Restrict local access: Limit local user access to systems running Sourcetree to trusted personnel only, reducing the risk of exploitation by unauthorized users. 3. Harden endpoint security: Implement endpoint protection solutions that monitor and restrict unauthorized code execution and suspicious activities on developer machines. 4. User training: Educate developers and users about the risks of social engineering and the importance of not executing untrusted files or links, as user interaction is required for exploitation. 5. Monitor for suspicious activity: Employ logging and monitoring on developer workstations to detect unusual behavior indicative of exploitation attempts. 6. Segmentation: Isolate development environments from critical production systems to contain potential breaches. 7. Review permissions: Audit and tighten permissions related to Sourcetree and associated repositories to minimize privilege escalation opportunities. 8. Incident response readiness: Prepare and test incident response plans specifically for development environment compromises.
Affected Countries
Germany, United Kingdom, France, Netherlands, Sweden, Finland, Ireland, Belgium
CVE-2025-22165: Security Misconfiguration in Atlassian Sourcetree for Mac
Description
This Medium severity ACE (Arbitrary Code Execution) vulnerability was introduced in version 4.2.8 of Sourcetree for Mac. This ACE (Arbitrary Code Execution) vulnerability, with a CVSS Score of 5.9, allows a locally authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Sourcetree for Mac users upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://www.sourcetreeapp.com/download-archives . You can download the latest version of Sourcetree for Mac from the download center https://www.sourcetreeapp.com/download-archives . This vulnerability was found through the Atlassian Bug Bounty Program by Karol Mazurek (AFINE).
AI-Powered Analysis
Technical Analysis
CVE-2025-22165 is a security misconfiguration vulnerability in Atlassian Sourcetree for Mac, specifically affecting versions 4.2.8 through 4.2.11 inclusive. This vulnerability allows a locally authenticated attacker to execute arbitrary code on the affected system. The vulnerability is classified as an Arbitrary Code Execution (ACE) flaw, which means that an attacker who has local access and some level of authentication can exploit the vulnerability to run malicious code with the privileges of the user running Sourcetree. The CVSS 4.0 base score is 5.9, indicating a medium severity level. The vector string (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:H/SC:H/SI:H/SA:L) reveals that the attack requires local access (AV:L), low attack complexity (AC:L), partial attack type (AT:P), low privileges (PR:L), and user interaction (UI:P). The vulnerability impacts confidentiality, integrity, and availability at a high level, meaning that successful exploitation could lead to significant data compromise, unauthorized modifications, or service disruption. The vulnerability stems from a security misconfiguration, categorized under CWE-269 (Improper Privilege Management), which suggests that the application improperly manages permissions or security settings, enabling escalation or unauthorized code execution. Although no known exploits are currently reported in the wild, the presence of this vulnerability in a widely used development tool like Sourcetree for Mac poses a tangible risk, especially in environments where developers use this tool extensively. Atlassian recommends upgrading to the latest fixed versions to remediate the issue. The vulnerability was responsibly disclosed via Atlassian's Bug Bounty Program by researcher Karol Mazurek (AFINE).
Potential Impact
For European organizations, the impact of CVE-2025-22165 can be significant, particularly for software development teams relying on Sourcetree for Mac as part of their version control workflows. Since the vulnerability allows arbitrary code execution with user-level privileges, an attacker who gains local access could execute malicious payloads, potentially leading to data theft, injection of malicious code into source repositories, or disruption of development processes. This could compromise the integrity of software builds and the confidentiality of proprietary code. Additionally, if exploited in environments where Sourcetree is used on shared or less secure machines, the risk of lateral movement or further compromise increases. The requirement for local authentication and user interaction somewhat limits remote exploitation but does not eliminate risk, especially in scenarios involving social engineering or insider threats. Given the high impact on confidentiality, integrity, and availability, organizations with stringent compliance requirements (e.g., GDPR) must consider this vulnerability seriously to avoid regulatory penalties and reputational damage.
Mitigation Recommendations
1. Immediate upgrade: Organizations should prioritize upgrading all instances of Sourcetree for Mac to the latest version beyond 4.2.11, as Atlassian has released fixed versions addressing this vulnerability. 2. Restrict local access: Limit local user access to systems running Sourcetree to trusted personnel only, reducing the risk of exploitation by unauthorized users. 3. Harden endpoint security: Implement endpoint protection solutions that monitor and restrict unauthorized code execution and suspicious activities on developer machines. 4. User training: Educate developers and users about the risks of social engineering and the importance of not executing untrusted files or links, as user interaction is required for exploitation. 5. Monitor for suspicious activity: Employ logging and monitoring on developer workstations to detect unusual behavior indicative of exploitation attempts. 6. Segmentation: Isolate development environments from critical production systems to contain potential breaches. 7. Review permissions: Audit and tighten permissions related to Sourcetree and associated repositories to minimize privilege escalation opportunities. 8. Incident response readiness: Prepare and test incident response plans specifically for development environment compromises.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- atlassian
- Date Reserved
- 2025-01-01T00:01:27.176Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6882b80ead5a09ad004644fd
Added to database: 7/24/2025, 10:47:42 PM
Last enriched: 8/1/2025, 12:54:44 AM
Last updated: 8/31/2025, 11:34:27 AM
Views: 26
Related Threats
CVE-2025-9219: CWE-862 Missing Authorization in saadiqbal Post SMTP – WP SMTP Plugin with Email Logs and Mobile App for Failure Notifications – Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES and more
MediumCVE-2025-9817: CWE-476: NULL Pointer Dereference in Wireshark Foundation Wireshark
HighCVE-2025-8663: CWE-532 Insertion of Sensitive Information into Log File in upKeeper Solutions upKeeper Manager
HighCVE-2025-9378: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in themehunk Vayu Blocks – Website Builder for the Block Editor
MediumCVE-2025-58210: CWE-862 Missing Authorization in ThemeMove Makeaholic
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.