CVE-2025-8672

CVE-2025-8672

Name

CVE-2025-8672

Description

MacOS version of GIMP bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of GIMP, potentially disguising attacker's malicious intent. This issue has been fixed in 3.1.4.2 version of GIMP.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
third-party-advisory	https://cert.pl/en/posts/2025/08/tcc-bypass/
issue-tracking	https://gitlab.gnome.org/GNOME/gimp/-/issues/13848
product	https://gitlab.gnome.org/Infrastructure/gimp-macos-build
technical-description	https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/

Type

URI

third-party-advisory

https://cert.pl/en/posts/2025/08/tcc-bypass/

issue-tracking

https://gitlab.gnome.org/GNOME/gimp/-/issues/13848

product

https://gitlab.gnome.org/Infrastructure/gimp-macos-build

technical-description

https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/

Match rules

CPE URI	Source package	Min version	Max version
	gimp	>= 0	< 3.1.4.2
`cpe:2.3:a:gimp:gimp::::::::`	gimp	>= 3.0.2	< 3.0.4
`cpe:2.3:a:gimp:gimp::::::::`	gimp	>= 3.0.2	<= None

CPE URI

Source package

Min version

Max version

gimp

>= 0

< 3.1.4.2

cpe:2.3:a:gimp:gimp:*:*:*:*:*:*:*:*

gimp

>= 3.0.2

< 3.0.4

cpe:2.3:a:gimp:gimp:*:*:*:*:*:*:*:*

gimp

>= 3.0.2

<= None

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
gimp	edge-community	3.0.4-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
gimp	edge-community	3.0.4-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
gimp	edge-community	3.0.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
gimp	edge-community	3.0.0-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
gimp	edge-community	2.10.38-r3	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
gimp	edge-community	2.10.36-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
gimp	edge-community	2.8.22-r2	None	possibly vulnerable
gimp	3.23-community	3.0.4-r1	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
gimp	3.22-community	3.0.4-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
gimp	3.22-community	2.10.38-r3	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
gimp	3.22-community	2.10.36-r0	None	possibly vulnerable
gimp	3.22-community	2.8.22-r2	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

gimp

edge-community

3.0.4-r1

Natanael Copa <ncopa@alpinelinux.org>

possibly vulnerable

gimp

edge-community