CVE-2025-8672: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in the MacOS version of GIMP (CVE-2025-8672) affecting all versions before 3.1.4.2. The vulnerability involves the bundled Python interpreter inheriting Transparency, Consent, and Control (TCC) permissions granted to the main application bundle (CERT Advisory, NVD).

The vulnerability stems from incorrect default permissions (CWE-276) in GIMP's MacOS implementation. The bundled Python interpreter inherits TCC permissions from the main application bundle, allowing potential exploitation. The vulnerability has received a CVSS 3.1 Base Score of 7.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements but high potential impact (NVD).

An attacker with local user access can invoke the Python interpreter with arbitrary commands or scripts, leveraging GIMP's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Additionally, accessing resources beyond previously granted TCC permissions will prompt the user for approval in GIMP's name, potentially disguising malicious intent (CERT Advisory).

This vulnerability has been fixed in GIMP version 3.1.4.2. Users are advised to update to this version or later to mitigate the security risk (CERT Advisory).