Vulnerabilities in Sparkle before 1.13.1

All Sparkle versions older than 1.13.1 (including 1.5b6) which fetch appcast or release notes over insecure HTTP connection are vulnerable to a man-in-the-middle attack that can lead to disclosure of local files or remote code execution.

The vulnerability is fixed in version 1.13.1. We recommend all developers to update ASAP. For most applications it’s as easy as replacing Sparkle.framework with the new version (upgrading notes).

Mitigations for developers

  • Update Sparkle to at least v1.13.1.
  • If you are unable to update for some reason, patches for older versions of Sparkle are available: a6e9c, 70f69. If you use any older versions of Sparkle, or forks of the official version, please verify that they have these patches applied.
  • Make sure your application loads the appcast feed and release notes (if any) over HTTPS only (HTTPS certificates are free from Let’s Encrypt). HTTPS makes the vulnerability much harder to exploit, but we recommend upgrading Sparkle as well as defence-in-depth (e.g. against compromised servers).

Thanks to Radoslaw Karpowicz for reporting the vulnerabilty.

Bug bounty program

We’ve awarded a $250 bounty for Radoslaw’s report. We’re starting an official bug bounty program. We’ll announce the details soon.

If you’ve found a vulnerability affecting Sparkle please report it to pornel@pornel.net.