CVE-2025-70342 is a security vulnerability identified in the erase-install utility, specifically in versions prior to v40.4 commit 2c31239. The issue stems from the swiftDialog component writing administrator credential output to a hardcoded file path: /var/tmp/dialog.json. Because this path is predictable and not securely protected, an unauthenticated attacker can exploit this by creating a named pipe (FIFO) at that location before the erase-install process runs. When the utility writes credentials to this named pipe, the attacker can intercept and capture sensitive administrator credentials entered during system reinstall or erase operations. This vulnerability does not require authentication or user interaction, making it easier to exploit in environments where erase-install is used for macOS deployment or system recovery. The flaw is due to insecure handling of output files and lack of validation or protection against symbolic links or named pipes at the target path. Although no known exploits have been reported in the wild, the potential for credential compromise is significant. The vulnerability affects organizations using erase-install with swiftDialog prior to the fixed commit 2c31239, typically in macOS system administration contexts. No CVSS score has been assigned yet, but the vulnerability's characteristics indicate a high severity level. Mitigation involves applying the patch that removes or secures the hardcoded output path and prevents named pipe exploitation. Additionally, system administrators should enforce strict file system permissions and monitor /var/tmp for suspicious named pipe creation. This vulnerability highlights the risks of insecure temporary file handling in privileged system utilities.

The primary impact of CVE-2025-70342 is the compromise of administrator credentials during critical system reinstall or erase operations. If exploited, an attacker can gain unauthorized access to administrative credentials without authentication, leading to potential full system compromise. This threatens confidentiality and integrity of systems managed via erase-install, especially in environments where macOS devices are frequently reimaged or erased. The vulnerability could facilitate lateral movement, privilege escalation, or persistent access if credentials are harvested. Organizations relying on erase-install for mass deployment or recovery operations face increased risk of insider or remote attackers intercepting sensitive credentials. The ease of exploitation and lack of required authentication amplify the threat, potentially impacting IT infrastructure security and operational continuity. Although availability impact is limited, the breach of admin credentials can indirectly lead to denial of service or data loss through malicious administrative actions. The scope includes all systems using vulnerable erase-install versions with swiftDialog prior to the fixed commit, particularly in enterprise macOS environments.

To mitigate CVE-2025-70342, organizations should immediately update erase-install to version v40.4 or later that includes commit 2c31239 or subsequent patches addressing this vulnerability. If immediate patching is not feasible, implement strict file system permissions on /var/tmp to prevent unauthorized creation of named pipes or symbolic links, especially restricting write access to trusted administrators only. Employ monitoring and alerting for suspicious named pipe creation or unusual file system activity in /var/tmp. Consider running erase-install operations in isolated or sandboxed environments to limit exposure. Additionally, review and harden deployment workflows to minimize credential exposure during reinstall or erase processes. Educate system administrators about the risks of insecure temporary file handling and encourage regular audits of deployment tools. Finally, integrate credential rotation policies to limit the impact of any potential credential leakage.