CVE-2025-57443
📋 TL;DR
FrostWire 6.14.0-build-326 for macOS contains permissive entitlements that allow local attackers to inject code via DYLD_INSERT_LIBRARIES environment variable. This enables privilege escalation to access arbitrary TCC-approved directories. Only macOS users running this specific FrostWire version are affected.
💻 Affected Systems
- FrostWire
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full access to all TCC-protected directories (Documents, Desktop, Downloads, etc.) and can execute arbitrary code with FrostWire's permissions.
Likely Case
Local attacker accesses sensitive user files in TCC-protected directories or installs persistence mechanisms.
If Mitigated
Attack limited to user's own files if proper file permissions and TCC restrictions are in place.
🎯 Exploit Status
Exploit requires local user access. Public PoC available in GitHub repository. DYLD injection is well-understood attack vector on macOS.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None known
Restart Required: No
Instructions:
1. Check FrostWire website for updated version. 2. Uninstall vulnerable version. 3. Install patched version if available. 4. Monitor vendor communications for security updates.
🔧 Temporary Workarounds
Remove FrostWire entitlements
macOSRemove the permissive entitlements (allow-dyld-environment-variables, disable-library-validation) from FrostWire.app
codesign --remove-signature /Applications/FrostWire.app
codesign --sign - --entitlements custom.entitlements /Applications/FrostWire.app
Restrict DYLD environment variables
macOSSystem-wide restriction of DYLD environment variables via SIP configuration
sudo nvram boot-args="amfi_get_out_of_my_way=1"
Note: This affects system security and requires reboot
🧯 If You Can't Patch
- Uninstall FrostWire 6.14.0-build-326 completely from affected macOS systems
- Implement strict file permissions and monitor for unauthorized access to TCC-protected directories
🔍 How to Verify
Check if Vulnerable:
Check FrostWire version: Open FrostWire → About FrostWire. If version is 6.14.0-build-326, system is vulnerable.Check Version:
defaults read /Applications/FrostWire.app/Contents/Info.plist CFBundleShortVersionStringVerify Fix Applied:
Verify FrostWire is uninstalled or updated to newer version. Check entitlements: codesign -d --entitlements - /Applications/FrostWire.app 2>/dev/null | grep -E "allow-dyld-environment-variables|disable-library-validation"📡 Detection & Monitoring
Log Indicators:
- Unusual process launches from FrostWire
- Access to TCC-protected directories by FrostWire process
- DYLD_INSERT_LIBRARIES environment variable being set
Network Indicators:
- None - this is local privilege escalation
SIEM Query:
process.name:"FrostWire" AND event.action:"file_access" AND file.path:"/Users/*/Documents/*" OR file.path:"/Users/*/Desktop/*" OR file.path:"/Users/*/Downloads/*"