Critical macOS Security Flaw CVE-2025-31191: Sandbox Escape Exploited and Mitigated

A critical security flaw in macOS, identified as CVE-2025-31191, was publicly detailed by Microsoft in May 2025, highlighting the ongoing contest between sophisticated attackers and platform defenders in securing endpoint computing. This vulnerability enables attackers to bypass the macOS App Sandbox—a mechanism designed as the last line of defense protecting macOS users from adversaries who manage to compromise an application. Microsoft’s in-depth research and responsible disclosure provide invaluable insight into this flaw, revealing how theoretical boundaries in Apple’s security architecture were practically circumvented, and what this means for the future of cross-platform security.

Understanding the macOS App Sandbox: Role, Enforcement, and Limitations​

First introduced in OS X Lion, the macOS App Sandbox is an architectural control designed to confine an application’s access to system resources and user data, even if the application becomes compromised. The security model relies on a “deny-by-default” principle, requiring all access to sensitive resources to be explicitly declared and granted—usually through user interaction or developer entitlements. Applications distributed through the Mac App Store are required to adopt these sandboxing policies, which restrict direct file system access, network communication, and interprocess messaging.
Apple has reengineered aspects of the App Sandbox over time, updating mechanisms for file access, especially following several notable bypasses in years prior. Notably, from macOS Monterey onwards, the Open and Save file dialogs are handled by an unsandboxed XPC service (com.apple.appkit.xpc.openAndSavePanelService.xpc), reducing the potential for sandbox escapes via those interfaces. At the same time, developers have been given APIs—such as AppleScriptTask and GrantAccessToMultipleFiles—designed to allow for legitimate, user-approved file access workflows in sandboxed contexts.

Security-Scoped Bookmarks: Balancing User Control with Persistent Access​

One of the primary mechanisms for enabling sandboxed applications to access user files is the use of security-scoped bookmarks. Introduced by Apple, these serve as capability tokens that encode persistent user-granted access to files or folders outside an application’s container. Security-scoped bookmarks are cryptographically signed using keys kept safe within the macOS keychain and are designed to be resistant to tampering.
The process of granting sandbox escape-proof access through these bookmarks works as follows:

• A user interacts with an Open/Save dialog to select files or folders for an app.
• The system generates a sandbox extension token, signed with a key derived by the kernel, allowing the app specific access, but tokens are ephemeral by design.
• To make access persistent, Apple introduced the ScopedBookmarkAgent, which validates the extension token, generates a long-lived, serializable bookmark object, and signs it with a key unique to the application (derived as HMAC-SHA256(secret, [bundle-id])). This bookmark is stored in the app container in a property list (PLIST).
• Future requests by the application use the bookmark, passing it to the ScopedBookmarkAgent, which validates and issues a fresh extension—removing the need for repeated user approval.

To further bolster security, the signing key secret for each application is stored in a keychain entry (com.apple.scopedbookmarksagent.xpc). Its Access Control List (ACL) is strictly configured so only the system ScopedBookmarkAgent service can read it, preventing apps (even if compromised) from reading or changing the key.

Anatomy of the Vulnerability: How Sandbox Escapes Became Possible​

Microsoft’s research team, while examining macro threats in Microsoft Office for macOS, discovered a subtle but critical flaw: although the ACL for the keychain item (com.apple.scopedbookmarksagent.xpc) prevents unauthorized reading of the signing key, it does not prevent deletion or replacement.
This seemingly innocuous detail exposed a devastating chain of attack:

• Keychain Manipulation: A malicious process running within a sandboxed app context could delete the legitimate signing secret used by the ScopedBookmarkAgent.
• Secret Replacement: The process then inserts a new secret with a known value, attaching a permissive ACL for broad access—including access for the agent.
• Bookmark Fabrication: An attacker, armed with knowledge of the application’s bundle ID (which is public), can compute the cryptographic signing key (HMAC-SHA256(knownSecret, bundle-id)), then craft malicious bookmarks for arbitrary files.
• Bypassing User Consent: The attacker injects these forged bookmarks into the securebookmarks.plist file. When the app next attempts to access a file using these bookmarks, the agent—unable to distinguish the forged secret—validates and grants access as though it were legitimately approved by the user.
• Sandbox Escape and File Access: With this elevated access, the sandbox’s most critical boundaries are undermined. Attackers can reach system files, deploy further payloads, manipulate authentication mechanisms (e.g., by targeting .zshenv or other sensitive configuration files), or exfiltrate private data—circumventing all of the sandbox’s original guarantees.

Microsoft’s proof-of-concept leverages this precise sequence to manipulate the macOS keychain, bypassing both the intended file access restrictions and the requirement for user interaction—contradicting Apple’s foundational security assumptions.

Technical Complexity and Attack Requirements​

While the vulnerability is both theoretically severe and broadly applicable (affecting any sandboxed app using security-scoped bookmarks), several mitigating complexities were observed in practice:

• No Remote Code Execution Chain Provided: Exploiting the vulnerability still requires initial code execution in the context of a sandboxed app. In the research scenario, this was achieved via malicious Office macros, but such macros must be enabled by the user—an additional hurdle, since Microsoft Office for macOS disables macros by default and prompts users to enable them manually.
• Sandbox Awareness and Detection: Apple’s security model evolved after several sandbox escape disclosures in 2021 and 2022 (CVE-2021-30864, CVE-2022-26696, CVE-2022-26706), tightening the criteria by which launch services and XPC connections enforce sandboxing restrictions.
• Persistence and Stealth Requirements: While the attack’s endpoint—sandbox escape—is significant, maintaining stealth and persistence remains challenging under scrutiny by modern endpoint detection platforms.
• Patch Availability: Apple responded promptly to coordinated disclosure, releasing a fix within the macOS security update issued on March 31, 2025, mitigating the exploit by strengthening keychain ACL semantics and likely hardening the logic in ScopedBookmarkAgent against arbitrary entry deletion and replacement.

Critical Analysis: Strengths, Weaknesses, and Implications​

Strengths of the App Sandbox Mechanism​

• Fine-Grained Control: App Sandbox, security-scoped bookmarks, and kernel-level signing represent a robust, layered approach to access management. Apple’s use of cryptographic tokens, privilege separation, and strict default-deny posture set a high bar for most attackers.
• Keychain Isolation: Apple’s use of the system keychain and ACLs to protect secrets sets a well-intentioned standard for application isolation—making it difficult to directly extract cryptographic keys needed for privilege escalation.

Exposed Risks and Residual Weaknesses​

• ACL Manipulation Oversight: The crux of CVE-2025-31191 was Apple’s oversight regarding keychain ACL operations. While reading secrets was well-guarded, deletion and replacement were left insufficiently controlled—mirroring similar escalation techniques historically seen on other OSes, including Windows and Linux.
• Wide Impact Surface: Because security-scoped bookmarks are a standard mechanism, and their use is encouraged by Apple’s own APIs, the exploit is applicable to a broad set of sandboxed apps, ranging from productivity suites to third-party utilities—even those with no apparent relation to Office macros or document workflows.
• User Consent Bypass: The vulnerability nullifies the security model's chief safeguard—the requirement for explicit user consent prior to granting persistent external file access. This represents a critical erosion of user trust in system dialogs and app permissions.
• Combinatorial Attack Potential: The exploit does not require sustained administrator privileges or direct kernel interaction, making it feasible to embed in multi-stage malware or to use as part of a broader attack targeting high-value users.

Defensive Countermeasures and Remaining Challenges​

Apple’s timely fix for this vulnerability demonstrates the strengths of rapid response, responsible disclosure, and inter-vendor collaboration. Updated versions of macOS (as of 31 March 2025) neutralize this specific vector, and macOS users are strongly urged to apply all current patches immediately.
Beyond patching, Microsoft recommends several defense-in-depth strategies:

• Deploy Endpoint Detection and Response (EDR): Microsoft Defender for Endpoint, as detailed in Microsoft’s research, detects abnormal manipulation of keychain secrets and anomalous file access requests by sandboxed processes—even flagging and blocking attempts to manipulate keychain entries not typically accessed by those apps.
• Principle of Least Privilege and Macro Controls: Users should avoid enabling macros in downloaded documents, especially in Microsoft Office for Mac, and organizations should enforce policies to restrict execution of untrusted macro code.
• Threat Intelligence and Community Collaboration: Sharing technical indicators of compromise (IOCs), exploit proofs-of-concept, and detection logic across platforms helps the broader security community react to vulnerabilities as they emerge.

Broader Context: Platform Security in a Heterogeneous World​

CVE-2025-31191 should be interpreted both as a technical milestone in sandbox escape research and as a cautionary tale regarding the subtleties of privilege isolation on any platform. Several persistent themes emerge:

• Platform Complexity Breeds Vulnerabilities: As endpoint operating systems become more complex, with rich APIs for user experience and extensibility, attack surfaces become both deeper and more subtle. Even correct high-level security logic can falter defensively if low-level details (such as ACL modification rights) are missed.
• Cross-Vendor Ecosystem Risks: Microsoft’s research illustrates the importance of evaluating security not just in isolation, but across application and OS boundaries. Attacks may leverage flaws in one vendor’s software to undermine another’s platform-level defenses.
• The Importance of Coordinated Disclosure: Effective security relies on rapid and responsible disclosure, coupled with partnerships between researchers, vendors, and the broader defender community. Apple’s quick remediation reflects best practices; end-users and organizations must do their part by staying up to date.

Recommendations for Users and Organizations​

To mitigate the risk of exploitation:

• Install macOS Updates Immediately: Patches for CVE-2025-31191 shipped in March 2025 (verify availability in Security Update documentation from Apple and confirm your macOS build includes the fix).
• Restrict Macro Use: Organizations should educate users about the risks of enabling macros and consider deploying configuration profiles that disable or restrict macro execution on macOS endpoints.
• Implement Advanced Protection: Adopt and properly configure endpoint security solutions like Microsoft Defender for Endpoint, which leverage machine learning and behavioral analytics to detect suspicious activity—including attempts to modify keychain secrets or forge bookmark entries.
• Audit Application Permissions: Monitor and regularly audit the permissions granted to macOS apps, reviewing which have persistent security-scoped bookmarks, and revoke unnecessary or suspicious privileges.
• Stay Informed: Monitor threat intelligence sources, subscribe to security advisories from both Apple and independent researchers, and participate in cross-vendor threat information sharing where possible.

Conclusion​

The CVE-2025-31191 vulnerability underscores the dual nature of contemporary endpoint security: while layered mechanisms like the macOS App Sandbox and security-scoped bookmarks effectively guard most routine threats, adversaries continue to probe for overlooked details and logic errors. Apple’s collaboration with Microsoft, rapid patch issuance, and the ongoing vigilance of the security research community all contribute to a more secure ecosystem.
Nonetheless, this episode serves as a reminder: application sandboxing—and the persistent storage of user-granted privileges—are only as strong as their weakest link. Security architects, developers, and end-users must embrace a defense-in-depth mindset, ensuring that the smallest system detail is as rigorously defended as the grandest security feature.
For more details on the technical research, readers can access the full report from the Microsoft Threat Intelligence Blog or consult Apple’s security advisory for up-to-date status on addressed vulnerabilities. Stay vigilant—sandbox escapes are not merely a theoretical concern, but a tangible risk in an ever-evolving landscape of endpoint security.

---

Source: Microsoft Analyzing CVE-2025-31191: A macOS security-scoped bookmarks-based sandbox escape | Microsoft Security Blog