{"id":58595,"date":"2025-05-01T17:00:00","date_gmt":"2025-05-01T17:00:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/"},"modified":"2025-05-01T17:00:00","modified_gmt":"2025-05-01T17:00:00","slug":"analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/","title":{"rendered":"Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape"},"content":{"rendered":"<p>In April 2024, Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. An attacker could create an exploit to escape the App Sandbox without user interaction required for <strong>any<\/strong> sandboxed app using <a href=\"https:\/\/developer.apple.com\/documentation\/professional_video_applications\/fcpxml_reference\/asset\/media-rep\/bookmark\/enabling_security-scoped_bookmark_and_url_access?language=objc\" target=\"_blank\" rel=\"noreferrer noopener\">security-scoped bookmarks<\/a>. With the ability to run code unrestricted on the affected device, attackers could perform further malicious actions like elevating privileges, exfiltrating data, and deploying additional payloads. &nbsp;Microsoft\u2019s Threat Intelligence research demonstrates that these exploits would need to be complex, and require Office macros to be enabled, in order to successfully target the Microsoft Office app.<\/p>\n<p>Similar to our discovery of another <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/07\/13\/uncovering-a-macos-app-sandbox-escape-vulnerability-a-deep-dive-into-cve-2022-26706\/\">sandbox escape vulnerability in 2022<\/a>, we uncovered this issue while researching potential methods to run and detect malicious macros in Microsoft Office on macOS. After discovering this issue, we shared our findings with Apple through <a href=\"https:\/\/www.microsoft.com\/msrc\/cvd\">Coordinated Vulnerability Disclosure (CVD)<\/a> via <a href=\"https:\/\/www.microsoft.com\/msrc\/msvr\">Microsoft Security Vulnerability Research (MSVR)<\/a>. Apple released a fix for this vulnerability, now identified as CVE-2025-31191, as part of <a href=\"https:\/\/support.apple.com\/en-us\/122375\" target=\"_blank\" rel=\"noreferrer noopener\">security updates<\/a> released on March 31, 2025. We want to thank the Apple product security team for their collaboration and responsiveness. We encourage macOS users to apply security updates as soon as possible.<\/p>\n<p>This blog post details our investigation into using Office macros to escape the macOS App Sandbox and how we uncovered the CVE-2025-31191 vulnerability. We further demonstrate how the exploit could allow an attacker to delete and replace a keychain entry used to sign security-scoped bookmarks to ultimately escape the App Sandbox without user interaction. This research underscores how security solutions like Microsoft Defender for Endpoint protect devices from cross-platform threats, as well as how collaboration and responsible disclosure are essential to defend users across all platforms and devices.<\/p>\n<h2 class=\"wp-block-heading\" id=\"the-macos-app-sandbox-and-office-macros\">The macOS App Sandbox and Office macros<\/h2>\n<p>The macOS <a href=\"https:\/\/developer.apple.com\/library\/archive\/documentation\/Security\/Conceptual\/AppSandboxDesignGuide\/AboutAppSandbox\/AboutAppSandbox.html\" target=\"_blank\" rel=\"noreferrer noopener\">App Sandbox<\/a> is a security mechanism employed on macOS applications, enforcing strict fine-grained rules on what an app can or cannot do. For example, an app can specify whether it should have internet access or whether it should be able to access specific files. To get apps signed by Apple and published in the Mac App Store, developers must have sandbox rules defined for their apps.<\/p>\n<p>Since 2022, Apple has made significant changes to how the App Sandbox is enforced from within <a href=\"https:\/\/developer.apple.com\/documentation\/coreservices\/launch_services\" target=\"_blank\" rel=\"noreferrer noopener\">Launch Services<\/a>, making them aware of the <a href=\"https:\/\/developer.apple.com\/documentation\/xpc\" target=\"_blank\" rel=\"noreferrer noopener\">XPC<\/a> client being sandboxed. That means vulnerabilities that use Launch Services, such as the <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2022-26706\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2022-26706<\/a> vulnerability, as well as <a href=\"https:\/\/perception-point.io\/blog\/technical-analysis-of-cve-2021-30864\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2021-30864<\/a>, <a href=\"https:\/\/wojciechregula.blog\/post\/macos-sandbox-escape-via-terminal\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2022-26696<\/a>, and <a href=\"https:\/\/desi-jarvis.medium.com\/office365-macos-sandbox-escape-fcce4fa4123c\" target=\"_blank\" rel=\"noreferrer noopener\">others<\/a>, will not work anymore. Since Microsoft Office is heavily sandboxed on macOS, it seems that the impact of malicious Office macros is minimal and cannot be trivially used as an initial access vector.<\/p>\n<p>Nevertheless, our team decided to perform a threat landscape analysis. With modern Microsoft Office for macOS being heavily sandboxed, two new VBA APIs have been introduced and <a href=\"https:\/\/learn.microsoft.com\/office\/vba\/api\/overview\/office-mac\">documented<\/a>:<\/p>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/office\/vba\/office-mac\/applescripttask\"><em>AppleScriptTask<\/em><\/a>. This API allows a Microsoft Office macro to run a preassigned <a href=\"https:\/\/developer.apple.com\/library\/archive\/documentation\/AppleScript\/Conceptual\/AppleScriptLangGuide\/introduction\/ASLR_intro.html\" target=\"_blank\" rel=\"noreferrer noopener\">AppleScript<\/a>. The script must be under the directory <em>~\/Library\/Application Scripts\/[bundle id]\/<\/em>, which is not accessible for writing from within Office itself. Therefore, script execution cannot be used for VBA-based sandbox escape purposes.<\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/office\/vba\/office-mac\/grantaccesstomultiplefiles\"><em>GrantAccessToMultipleFiles<\/em><\/a>. This API grants read and write access to files out of the sandbox from within the macro, which involves heavy user interaction to select and approve those files.<\/li>\n<\/ul>\n<p>Since the <em>AppleScriptTask<\/em> API did not have obvious vulnerabilities, we started focusing on the <em>GrantAccessToMultipleFiles<\/em> API.<\/p>\n<p>Interestingly, we noticed that the user\u2019s choice is persistently saved and used, even between reboots. This indicates that the user\u2019s consent is stored in a file that we can attempt to access. An attacker could aim to obtain write and read access to arbitrary files without the user\u2019s consent and then escape the macOS App Sandbox by abusing files that would later be used by other apps (such as the file <em>~\/.zshenv<\/em> that we <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/07\/13\/uncovering-a-macos-app-sandbox-escape-vulnerability-a-deep-dive-into-cve-2022-26706\/\">analyzed in the past<\/a>). In such an attack, the attacker could rely on <a href=\"https:\/\/attack.mitre.org\/techniques\/T1204\/\" target=\"_blank\" rel=\"noreferrer noopener\">unsuspecting users approving file access<\/a> to allow trivial sandbox escapes.<\/p>\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1019\" height=\"691\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-6.jpg\" alt=\"Screenshot of the proof of concept code for an attack involving user interaction\" class=\"wp-image-138742\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-6.jpg 1019w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-6-300x203.jpg 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-6-768x521.jpg 768w\" sizes=\"auto, (max-width: 1019px) 100vw, 1019px\"><figcaption class=\"wp-element-caption\"><em>Figure 1. Proof of concept code for an attack that does involve user interaction<\/em><\/figcaption><\/figure>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-18.webp\" alt=\"Screenshot of the typical user interaction requiring explicit selection of the folder to grant access to\" class=\"wp-image-138748 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-18.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 2. Typical user interaction requiring explicit selection of the folder to grant access to<\/em><\/figcaption><\/figure>\n<h2 class=\"wp-block-heading\" id=\"file-access-approval-using-kernel-tokens\">File access approval using kernel tokens<\/h2>\n<p>We discovered that the file that persists the user\u2019s choices is a <a href=\"https:\/\/wikipedia.org\/wiki\/Property_list\" target=\"_blank\" rel=\"noreferrer noopener\">PLIST<\/a> file under the <em>Containers<\/em> folder. The <em>Containers<\/em> folder is a special folder in which App Sandbox rules do not apply, which means that the sandboxed app has full access to files there. This is quite attractive for vulnerability research purposes since it means that an attacker might be able to add entries to that file and simply get access to arbitrary files mentioned in that PLIST file.<\/p>\n<p>Microsoft Office uses a macOS mechanism called <a href=\"https:\/\/developer.apple.com\/documentation\/professional_video_applications\/fcpxml_reference\/asset\/media-rep\/bookmark\/enabling_security-scoped_bookmark_and_url_access?language=objc\" target=\"_blank\" rel=\"noreferrer noopener\">security-scoped bookmarks<\/a>, which is a mechanism designed by Apple to specifically bypass the App Sandbox rules using explicit, persistent user choices. We do note that the file seems to contain binary signatures, so frivolously adding new entries or modifying existing ones is not possible.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-19.webp\" alt=\"Screenshot of the secure bookmarks PLIST file saving the signed user choices with typical metadata\" class=\"wp-image-138749 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-19.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 3. The secure bookmarks PLIST file saving the signed user choices with typical metadata<\/em><\/figcaption><\/figure>\n<p>Therefore, our team decided to reverse engineer large parts of the macOS modules that support this behavior. However, to fully understand and appreciate the security design of security-scoped bookmarks, it\u2019s important to understand how sandboxed apps typically get access to files.<\/p>\n<p>In general, sandboxed apps typically get access to files if a user selects them using the Open dialog. That dialog is controlled by an un-sandboxed service called <em>com.apple.appkit.xpc.openAndSavePanelService.xpc<\/em>. After the user selects the files, that un-sandboxed service transfers access to the selected files to the sandboxed app (using <a href=\"https:\/\/wikipedia.org\/wiki\/Inter-process_communication\" target=\"_blank\" rel=\"noreferrer noopener\">IPC<\/a>) via a mechanism called sandbox extensions, which was documented well by Jonathan Levin <a href=\"https:\/\/newosxbook.com\/files\/HITSB.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">in the past<\/a>. Essentially, sandbox extensions are tokens created and signed by the kernel that grant the possessing process the ability to access those files, typically using the lower-level API under <em>libsystem_sandbox.dylib<\/em>. In our case, the Open dialog service passes a sandbox extension token from the kernel to Microsoft Office, which then uses the token for file access purposes, bypassing App Sandbox checks. The token itself contains:<\/p>\n<ul class=\"wp-block-list\">\n<li>HMAC-SHA256 authentication. The key used for that HMAC is generated in each boot by the <em>Sandbox.kext<\/em> kernel extension.<\/li>\n<li>Volume, node information, and other file metadata.<\/li>\n<li>Capability (such as <em>com.apple.app-sandbox.read-write<\/em>).<\/li>\n<li>File path.<\/li>\n<\/ul>\n<p>Because the key that is used to sign the HMAC-SHA256 blob is generated in each new boot, the token cannot persist between reboots. To solve that problem, Apple came up with security-scoped bookmarks, which do something very similar. A new un-sandboxed process called <em>ScopedBookmarkAgent<\/em> was introduced, which can perform two important tasks:<\/p>\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Given a sandbox extension token, validate its authenticity and generate a new, serializable object called \u201cbookmark,\u201d which will have a long-term HMAC-SHA256 authentication.<\/li>\n<li>Given a bookmark, validate its authenticity and generate a new sandbox extension token.<\/li>\n<\/ol>\n<p>Applications such as Microsoft Office could then use those capabilities to maintain long-term file access:<\/p>\n<ol start=\"1\" class=\"wp-block-list\">\n<li>On the first call to <em>GrantAccessToMultipleFiles<\/em>, Office checks if there are file entries in its <em>securebookmarks.plist<\/em> file. Since there are no matching entries, Office consults the Open dialog service, which requires user interaction and receives a sandbox extension token. That token is sent to the <em>ScopredBookmarkAgent<\/em>, which validates the token and then signs it with its own unique, long-term cryptographic key. That data is then serialized by Office to the <em>securebookmarks.plist<\/em> file for later use.<\/li>\n<li>On the next call to <em>GrantAccessToMultipleFiles<\/em>, Office finds the entry in its <em>securebookmarks.plist<\/em> file and sends the data to the <em>ScopedBookmarkAgent<\/em>, which validates the signature and generates a sandbox extension token that Office can use without user interaction involved.<\/li>\n<\/ol>\n<p>The HMAC-SHA256 authentication blob generated by <em>ScopedBookmarkAgent<\/em> cannot be forged unless an attacker has the cryptographic key. The signing key is unique for each app and calculated as such:<\/p>\n<p>cryptoKey=HMAC-256(secret, \u201c[bundle-id]\u201d)<\/p>\n<p>The bundle ID is known (for instance, <em>com.microsoft.Word<\/em>) and the key persists in <a href=\"https:\/\/support.apple.com\/guide\/keychain-access\/what-is-keychain-access-kyca1083\/mac\" target=\"_blank\" rel=\"noreferrer noopener\">Keychain Access on macOS<\/a>, saved in the keychain entry <em>com.apple.scopedbookmarksagent.xpc<\/em>.<\/p>\n<p>Therefore, knowing the secret that is stored in the keychain is essential to retrieving the cryptoKey, and that\u2019s the only barrier against an attacker signing their own bookmark entries.<\/p>\n<h2 class=\"wp-block-heading\" id=\"escaping-the-app-sandbox-via-the-keychain\">Escaping the App Sandbox via the keychain<\/h2>\n<p>The macOS keychain can be thought of as a built-in password manager, conceptually similar to how <a href=\"https:\/\/learn.microsoft.com\/windows-server\/security\/windows-authentication\/credentials-processes-in-windows-authentication\">Credential Manager<\/a> works on Windows. The keychain is a container for passwords and has Access Control Lists (<a href=\"https:\/\/developer.apple.com\/documentation\/security\/keychain_services\/access_control_lists\" target=\"_blank\" rel=\"noreferrer noopener\">ACL<\/a>) that dictate which process can access each keychain item. The keychain entry we are interested in is <em>com.apple.scopedbookmarksagent.xpc<\/em>, and its ACL dictates only the <em>ScopedBookmarkAgent<\/em> has access to it, which is an excellent security decision by Apple, since injection to that process is not trivial, especially from a sandboxed context.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-17.webp\" alt=\"Screenshot of the Access Control List for the scoped bookmarks secret used for signing purposes\" class=\"wp-image-138746 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-17.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 4. The <em>Access Control List for the scoped bookmarks secret used for signing purposes<\/em><\/em><\/figcaption><\/figure>\n<p>It seems as if an attacker cannot do much as they operate within the sandboxed app context and not the <em>ScopedBookmarkAgent<\/em> context, so attackers cannot get the key and, therefore, cannot sign arbitrary new entries in the PLIST file indirectly used by the <em>ScopedBookmarkAgent<\/em>. However, we discovered that the ACL only controls the ability to read the secret. An attacker could completely avoid reading the existing secret and instead can delete the existing entry and <strong>add a new entry<\/strong>, with a well-known secret. In addition, the attacker could control the new entry\u2019s ACL and allow anyone to read the contents of the secret, including <em>ScopedBookmarkAgent<\/em>:<\/p>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-20-1024x344.webp\" alt=\"Screenshot of the deletion of the old security-scoped bookmarks secret and assigning a new one from within a sandboxed session\" class=\"wp-image-138750 webp-format\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-20-1024x344.webp 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-20-300x101.webp 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-20-768x258.webp 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-20.webp 1036w\" data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-20-1024x344.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 5. Deletion of the old security-scoped bookmarks secret and assigning a new one from within a sandboxed session<\/em><\/figcaption><\/figure>\n<p>Therefore, an attacker can create an elaborate exploit:<\/p>\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Delete the old signing secret from the keychain and decide on a new known secret that is accessible to all processes.<\/li>\n<li>Calculate the cryptographic key for an app since its bundle ID is known (<em>key = HMAC-SHA256(knownSecret, [bundle-id])<\/em>).<\/li>\n<li>Artificially sign new entries in the persistent scoped bookmarks PLIST file that is accessible since it persists in the <em>Containers<\/em> directory.<\/li>\n<li>Invoke <em>GrantAccessToMultipleFiles<\/em>, which sends the newly self-signed bookmarks to <em>ScopedBookmarkAgent<\/em>. Since <em>ScopedBookmarkAgent<\/em> uses the new secret, the bookmarks are considered authentic, and therefore <em>ScopedBookmarkAgent<\/em> grants the sandboxed app the access token <strong>without user interaction<\/strong>.<\/li>\n<li>Use the new arbitrary file access capability to escape the macOS sandbox.<\/li>\n<\/ol>\n<p>As corroborated by our research, this exploit works against any sandboxed app that uses security-scoped bookmarks and is therefore a generic macOS sandbox escape.<\/p>\n<h2 class=\"wp-block-heading\" id=\"strengthening-device-security-through-vulnerability-management-and-threat-intelligence-sharing\">Strengthening device security through vulnerability management and threat intelligence sharing<\/h2>\n<p>Security technologies such as the macOS App Sandbox are designed to protect the device from malware and other cybersecurity threats, both as a default security measure and a final safeguard. Nonetheless, attackers continue to find new ways of breaking through these defenses for these same reasons, as they can gain full access to the device and run any files or processes they want without being detected by conventional security solutions.<\/p>\n<p>Our research on the CVE-2025-31191 vulnerability highlights why organizations need a security solution like <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-vulnerability-management\/defender-vulnerability-management\">Microsoft Defender Vulnerability Management<\/a> that enables them to identify and remediate vulnerabilities and misconfigurations on devices in real time and prioritize those in need of immediate attention.&nbsp;Additionally, <a href=\"https:\/\/www.microsoft.com\/security\/business\/endpoint-security\/microsoft-defender-endpoint\">Microsoft Defender for Endpoint<\/a>&nbsp;detects and alerts on anomalous device activities using advanced behavioral analytics and machine learning. In this case, Microsoft Defender for Endpoint detects sandboxed apps controlling security keys that normally are not accessed by those apps. Moreover, in the context of our exploit, Defender for Endpoint detects such behavior as suspicious and blocks the activity, rendering the exploit unusable.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-21.webp\" alt=\"Screenshot of Microsoft Defender for Endpoint detection the exploit with the alert Suspicious Keychain item manipulation\" class=\"wp-image-138751 webp-format\" srcset data-orig-src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-21.webp\"><figcaption class=\"wp-element-caption\"><em>Figure 6. Detection of the exploit<\/em><\/figcaption><\/figure>\n<p>Lastly, this research emphasizes the value and necessity of responsible disclosure and collaboration throughout the security community. Vulnerability discoveries, cooperation between security researchers and vendors, and coordinated response across the security community are all paramount to defend against the ever-growing and ever-changing threats across platforms. These activities, along with other forms of threat intelligence sharing, strengthen and enhance our security technologies to help safeguard users across platforms and devices.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/microsoft-365\/security\/endpoint-defender\">Learn how Microsoft Defender for Endpoint delivers a complete endpoint security solution across all platforms.<\/a><\/p>\n<p><strong>Jonathan Bar Or<\/strong><\/p>\n<p><em>Microsoft Threat Intelligence<\/em><\/p>\n<h2 class=\"wp-block-heading\" id=\"references\">References<\/h2>\n<h2 class=\"wp-block-heading\" id=\"learn-more\">Learn more<\/h2>\n<p>For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog:&nbsp;<a href=\"https:\/\/aka.ms\/threatintelblog\">https:\/\/aka.ms\/threatintelblog<\/a>.<\/p>\n<p>To get notified about new publications and to join discussions on social media, follow us on LinkedIn at <a href=\"https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/www.linkedin.com\/showcase\/microsoft-threat-intelligence<\/a>, and on X (formerly Twitter) at&nbsp;<a href=\"https:\/\/x.com\/MsftSecIntel\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/x.com\/MsftSecIntel<\/a>.<\/p>\n<p>To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast: <a href=\"https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/thecyberwire.com\/podcasts\/microsoft-threat-intelligence<\/a>.<\/p>\n<p> READ MORE <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/05\/01\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted on the system. We shared our findings with Apple and a fix was released for this vulnerability, now identified as CVE-2025-31191. We encourage macOS users to apply security updates as soon as possible.<br \/>\nThe post Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape appeared first on Microsoft Security Blog. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[1247],"class_list":["post-58595","post","type-post","status-publish","format-standard","hentry","category-microsoft-secure","tag-macos"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-01T17:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-6.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape\",\"datePublished\":\"2025-05-01T17:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\\\/\"},\"wordCount\":2119,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/image-6.jpg\",\"keywords\":[\"macOS\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\\\/\",\"name\":\"Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/image-6.jpg\",\"datePublished\":\"2025-05-01T17:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/image-6.jpg\",\"contentUrl\":\"https:\\\/\\\/www.microsoft.com\\\/en-us\\\/security\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/04\\\/image-6.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"macOS\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/macos\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/","og_locale":"en_US","og_type":"article","og_title":"Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-05-01T17:00:00+00:00","og_image":[{"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-6.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape","datePublished":"2025-05-01T17:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/"},"wordCount":2119,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-6.jpg","keywords":["macOS"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/","url":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/","name":"Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-6.jpg","datePublished":"2025-05-01T17:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-6.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2025\/04\/image-6.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/analyzing-cve-2025-31191-a-macos-security-scoped-bookmarks-based-sandbox-escape\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"macOS","item":"https:\/\/www.threatshub.org\/blog\/tag\/macos\/"},{"@type":"ListItem","position":3,"name":"Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58595","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=58595"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/58595\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=58595"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=58595"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=58595"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}