CVE-2025-22165 is an arbitrary code execution (ACE) vulnerability discovered in Atlassian Sourcetree for Mac, specifically in versions 4.2.8 through 4.2.11. The root cause is a security misconfiguration related to improper privilege management (CWE-269), which allows a locally authenticated attacker to execute arbitrary code on the affected system. Exploitation requires user interaction, such as opening a malicious file or performing a specific action within the application. The vulnerability impacts confidentiality, integrity, and availability at a high level, indicating that an attacker could potentially gain control over sensitive data, alter or corrupt data, and disrupt application or system functionality. The CVSS 4.0 base score is 5.9, reflecting a medium severity level, with attack vector limited to local access, low attack complexity, and requiring privileges and user interaction. No public exploits have been reported yet, but the presence of this vulnerability in a widely used Git GUI client for Mac makes it a significant risk for developers and organizations relying on Sourcetree for version control. Atlassian has addressed this issue in versions beyond 4.2.11, and users are advised to upgrade promptly. The vulnerability was responsibly disclosed through Atlassian's Bug Bounty Program.

The impact of CVE-2025-22165 is considerable for organizations using affected versions of Sourcetree on Mac. Successful exploitation could allow attackers with local access to execute arbitrary code, potentially leading to unauthorized access to source code repositories, injection of malicious code, or disruption of development workflows. This could compromise the integrity of software development processes, leading to supply chain risks if malicious code is introduced. Confidentiality breaches could expose sensitive intellectual property or credentials stored or accessed through Sourcetree. Availability impacts could disrupt developers' ability to manage code, delaying projects and increasing operational costs. While exploitation requires local access and user interaction, insider threats or malware could leverage this vulnerability to escalate privileges or persist within development environments. Organizations with distributed development teams or remote Mac users are particularly at risk if devices are compromised or shared.

To mitigate CVE-2025-22165, organizations should immediately upgrade all affected Sourcetree for Mac installations to the latest version beyond 4.2.11 as provided by Atlassian. If immediate upgrade is not feasible, restrict local access to Mac systems running vulnerable versions and enforce strict user privilege management to limit the ability of attackers to authenticate locally. Implement endpoint protection solutions capable of detecting suspicious activities related to code execution within development tools. Educate users about the risk of interacting with untrusted files or links within Sourcetree. Regularly audit and monitor development environments for unusual behavior or unauthorized code changes. Additionally, consider isolating development machines from sensitive networks and employing application whitelisting to prevent execution of unauthorized code. Maintain up-to-date backups of source code repositories to recover quickly in case of compromise.