Login Sign Up

CVE-2025-65741

9.8 CRITICAL

📋 TL;DR

CVE-2025-65741 allows attackers to inject malicious dynamic libraries (.dylib files) into Sublime Text 3 on macOS, enabling arbitrary code execution within the application's context. This affects macOS users running vulnerable Sublime Text 3 versions. The vulnerability requires local access or social engineering to deliver the malicious library.

💻 Affected Systems

Products:
  • Sublime Text 3
Versions: Build 3208 and earlier
Operating Systems: macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects macOS due to .dylib injection mechanism. Windows/Linux versions not vulnerable.

📦 What is this software?

Sublime Text 3 by Sublimetext

View all CVEs affecting Sublime Text 3 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via privilege escalation, data theft, or ransomware deployment if Sublime Text has elevated privileges.

🟠

Likely Case

Local privilege escalation, data exfiltration from files opened in Sublime Text, or persistence mechanisms installation.

🟢

If Mitigated

Limited impact if application runs with minimal privileges and file integrity monitoring detects unauthorized library loads.

🌐 Internet-Facing: LOW - Requires local access or user interaction to execute malicious payload.
🏢 Internal Only: MEDIUM - Insider threats or compromised internal accounts could exploit this for lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Proof-of-concept available on GitHub. Requires user to execute malicious .dylib file or be tricked into loading it.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Build 3209 or later

Vendor Advisory: https://www.sublimetext.com/3

Restart Required: Yes

Instructions:

1. Open Sublime Text 3
2. Go to Sublime Text > Check for Updates
3. Install available update
4. Restart Sublime Text

🔧 Temporary Workarounds

Restrict Library Loading

macOS

Use macOS sandboxing or entitlements to restrict dynamic library loading

Application Whitelisting

macOS

Use macOS Parental Controls or third-party tools to restrict which applications can load libraries

🧯 If You Can't Patch

  • Run Sublime Text with reduced privileges using sandbox-exec
  • Monitor for suspicious .dylib file creation/modification in Sublime Text directories

🔍 How to Verify

Check if Vulnerable:

Check Sublime Text version via 'Sublime Text > About Sublime Text'. If version is Build 3208 or earlier, system is vulnerable.

Check Version:

defaults read /Applications/Sublime\ Text.app/Contents/Info.plist CFBundleVersion

Verify Fix Applied:

Verify version is Build 3209 or later in About dialog. Test with known PoC from GitHub repository.

📡 Detection & Monitoring

Log Indicators:

  • Console logs showing unexpected library loads
  • Sublime Text crash reports with foreign libraries

Network Indicators:

  • Unexpected outbound connections from Sublime Text process

SIEM Query:

process.name:"Sublime Text" AND event.action:"library_load" AND NOT library.path:"/Applications/Sublime Text.app/*"

📊 Metadata

CVE ID: CVE-2025-65741
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-427
EPSS Score: 0.09% exploit probability (24.8th percentile)
Published: December 9, 2025
Last Updated: January 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65741, you might also want to check these:

CVE-2025-4981 9.9

This vulnerability allows authenticated Mattermost users to write files to arbitrary locations on th...

Same vulnerability type (CWE-427)
CVE-2022-24955 9.8

CVE-2022-24955 is a DLL hijacking vulnerability in Foxit PDF software that allows attackers to execu...

Same vulnerability type (CWE-427)
CVE-2023-25143 9.8

This vulnerability in Trend Micro Apex One Server installer allows attackers to execute arbitrary co...

Same vulnerability type (CWE-427)