CVE-2025-4280 is a security vulnerability affecting the macOS version of Poedit, a popular cross-platform gettext catalogs (.po files) editor used primarily for software localization. The vulnerability arises from the way Poedit bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main Poedit application bundle. TCC is a macOS security framework that controls access to user data and system resources, such as files in privacy-protected folders (e.g., Documents, Desktop, Downloads, and other sensitive directories). Because the embedded Python interpreter inherits these permissions, an attacker with local user access can invoke this interpreter to execute arbitrary commands or scripts. This allows the attacker to leverage the application's previously granted TCC permissions to access the user's files in protected folders without triggering additional user prompts. If the attacker attempts to access resources beyond those already granted, macOS will prompt the user for approval, but the prompt will appear as originating from Poedit, potentially misleading the user and increasing the chance of consent to malicious access. The vulnerability is classified under CWE-276 (Incorrect Default Permissions), indicating that the default permissions granted to the embedded interpreter are overly permissive. The issue affects Poedit version 2.0 and was fixed in version 3.6.3. The CVSS v4.0 base score is 4.8 (medium severity), reflecting that exploitation requires local access and low privileges but does not require user interaction. There are no known exploits in the wild as of the publication date. This vulnerability primarily impacts confidentiality by enabling unauthorized access to privacy-protected user files, with limited impact on integrity and availability. The attack scope is local, requiring the attacker to have access to the victim's user account on macOS.

For European organizations, this vulnerability poses a risk primarily to employees or users running vulnerable versions of Poedit on macOS systems. Since Poedit is used in software localization, organizations involved in software development, translation, or localization services may be more likely to have this software installed. An attacker with local access—such as a malicious insider, a compromised workstation, or through social engineering to gain user-level access—could exploit this vulnerability to access sensitive files in privacy-protected folders without alerting the user. This could lead to unauthorized disclosure of intellectual property, confidential documents, or personal data, potentially violating GDPR requirements around data protection and privacy. The disguised user prompts could also lead to further privilege escalation or malware installation if users are tricked into granting additional permissions. While the vulnerability requires local access and does not allow remote exploitation, the risk is significant in environments where endpoint security is weak or where multiple users share workstations. The medium severity score reflects these factors, but the potential for data leakage and compliance violations makes it important for European organizations to address this promptly.

1. Upgrade Poedit to version 3.6.3 or later immediately, as this version contains the fix for the vulnerability. 2. Implement strict endpoint security controls to limit local user access, including enforcing least privilege principles and restricting software installation rights. 3. Educate users about the risks of granting permissions in macOS prompts, emphasizing caution when prompted by applications like Poedit. 4. Monitor and audit usage of Poedit and Python interpreter invocations on macOS endpoints to detect suspicious activity or unauthorized script executions. 5. Use macOS management tools (e.g., MDM solutions) to enforce application whitelisting and control TCC permissions centrally, reducing the risk of unauthorized permission grants. 6. Regularly review and update software inventories to identify and remediate vulnerable versions of Poedit and other applications bundling interpreters or scripting engines. 7. Consider deploying endpoint detection and response (EDR) solutions capable of detecting anomalous local script execution or privilege abuse on macOS systems.