Microsoft Threat Intelligence has disclosed a significant vulnerability in macOS that could allow attackers to bypass the App Sandbox and execute unauthorized code on affected systems. The vulnerability, identified as CVE-2025-31191, poses a serious risk as it enables attackers to escape the App Sandbox without requiring any user interaction, exploiting security-scoped bookmarks in sandboxed apps.
The macOS App Sandbox is a security feature that enforces strict rules on what an application can and cannot do, limiting potential damage from malicious software. Microsoftβs research indicates that successful exploitation of this vulnerability, especially within the Microsoft Office app, would require complex exploits and enabled Office macros.
Microsoftβs team focused their research on the GrantAccessToMultipleFiles API after determining that the AppleScriptTask API did not present obvious vulnerabilities. They discovered that user choices for file access granted through this API are persistently saved, indicating that consent is stored in a file accessible to attackers.The vulnerability lies in how macOS handles security-scoped bookmarks, a mechanism designed to allow apps to bypass App Sandbox rules with explicit user permission. By manipulating the keychain entry com.apple.scopedbookmarksagent.xpc, attackers can replace the existing signing secret with a known one, enabling them to create and validate their own entries in the secure bookmarks PLIST file.
The exploitation process involves several steps:
Deleting the old signing secret from the keychain and establishing a new, known secret.Calculating the cryptographic key for the target app using its bundle ID and the known secret.Artificially signing new entries in the accessible scoped bookmarks PLIST file.Invoking GrantAccessToMultipleFiles to send the self-signed bookmarks to ScopedBookmarkAgent, which validates them using the new secret and grants the sandboxed app access tokens.Escaping the macOS sandbox using the newly gained arbitrary file access.
Microsoftβs findings confirm that this exploit is effective against any sandboxed app using security-scoped bookmarks, making it a generic macOS sandbox escape.Microsoft responsibly disclosed its findings to Apple through Coordinated Vulnerability Disclosure (CVD). Apple released a fix for CVE-2025-31191 as part of its security updates on March 31, 2025. Users are strongly advised to apply these security updates as soon as possible to protect their systems from potential exploitation.