CVE-2025-5255 is a vulnerability identified in Core.ai's Phoenix Code product running on macOS platforms. The root cause lies in the application's entitlements configuration, specifically the inclusion of "com.apple.security.cs.allow-dyld-environment-variables" and "com.apple.security.cs.disable-library-validation". These entitlements permit the use of dynamic library injection techniques by allowing environment variables such as DYLD_INSERT_LIBRARIES to influence the loading of dynamic libraries at runtime. A local attacker with unprivileged access can exploit this to inject malicious code into the context of the Phoenix Code application. This injection bypasses macOS's Transparency, Consent, and Control (TCC) system, which normally governs access to sensitive resources and user data. However, the attacker’s capabilities are limited to resources for which the user has already granted permissions; accessing additional protected resources still requires explicit user consent via system prompts. The vulnerability does not require elevated privileges or user interaction to exploit, making it a local privilege escalation vector within the scope of the application. The issue was addressed and fixed in a specific commit (0c75fb57f89d0b7d9b180026bc2624b7dcf807da), which presumably removes or restricts these entitlements to prevent dylib injection. The CVSS 4.0 base score is 4.8, reflecting a medium severity due to the local attack vector, limited scope, and absence of user interaction requirements. No known exploits have been reported in the wild to date.

For European organizations using Core.ai's Phoenix Code on macOS, this vulnerability presents a risk of local code injection that can bypass macOS's TCC protections within the scope of already granted permissions. This could lead to unauthorized access or manipulation of sensitive data that the application can access, potentially compromising confidentiality and integrity of that data. Although the attacker cannot escalate privileges beyond the user’s granted permissions or access additional protected resources without user consent, the ability to inject code may facilitate further local attacks, persistence, or data exfiltration within the compromised context. Organizations with sensitive workflows relying on Phoenix Code should be aware that insider threats or compromised local accounts could exploit this vulnerability. The impact is more pronounced in environments where multiple users share systems or where endpoint security is lax. Since exploitation requires local access, remote attack vectors are not directly impacted. The absence of known exploits reduces immediate risk but does not eliminate the need for prompt remediation.

1. Apply the official patch or update from Core.ai that addresses this vulnerability by removing or restricting the problematic entitlements. 2. Restrict local access to macOS systems running Phoenix Code to trusted users only, minimizing the risk of local attackers exploiting this issue. 3. Employ endpoint security solutions that monitor for suspicious dynamic library injection or process tampering activities. 4. Use macOS system integrity protection (SIP) and ensure it is enabled and properly configured to limit unauthorized code injection. 5. Regularly audit application entitlements and configurations to detect and remediate insecure settings. 6. Educate users about the risks of local privilege misuse and enforce strong local account management policies. 7. Implement application whitelisting to prevent unauthorized code execution within the Phoenix Code context. 8. Monitor logs for unusual application behavior that could indicate exploitation attempts. These steps go beyond generic advice by focusing on controlling local access, monitoring dynamic library injection, and validating application entitlements.