CVE-2025-65741

CriticalPublic PoC

Published: 09 December 2025

Published

09 December 2025

Modified

02 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0012 30.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Sublime Text 3 Build 3208 or prior for MacOS is vulnerable to Dylib Injection. An attacker could compile a .dylib file and force the execution of this library in the context of the Sublime Text application.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2025-65741 by requiring timely patching of Sublime Text 3 to versions beyond Build 3208, addressing the Dylib Injection flaw.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Scans for and identifies vulnerable installations of Sublime Text 3 Build 3208 or prior affected by the Dylib Injection vulnerability.

SI-3 Malicious Code Protection partial match

preventdetect

Provides defense-in-depth by scanning for and blocking malicious .dylib files that exploit the Sublime Text Dylib Injection vulnerability.

Security SummaryAI

CVE-2025-65741 is a Dylib Injection vulnerability (CWE-427) affecting Sublime Text 3 Build 3208 and prior versions on macOS. Published on 2025-12-09, it enables an attacker to compile a malicious .dylib file and force its execution within the context of the Sublime Text application. The issue carries a critical CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severe potential impact.

Any remote attacker can exploit this vulnerability without privileges or user interaction, leveraging its network accessibility and low attack complexity. Successful exploitation allows arbitrary code execution in the Sublime Text process context, granting high levels of confidentiality, integrity, and availability compromise.

Mitigation details are available in advisories referenced at https://github.com/sublimehq/sublime_text, https://www.sublimetext.com/3, and https://github.com/vinicius-batistella/CVE-2025-65741/. Security practitioners should consult these sources for patching guidance and updates beyond Build 3208.

Details

CWE(s): CWE-427

Affected Products

sublimetext

sublime text 3

≤ 3.2.2

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1574.004 Dylib Hijacking Stealth

Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime.

attack.mitre.org →

Why these techniques?

The vulnerability is a Dylib Injection flaw (CWE-427, untrusted search path) enabling arbitrary code execution in Sublime Text via malicious .dylib, directly mapping to Exploitation for Client Execution (T1203) and Dylib Hijacking (T1574.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/sublimehq/sublime_text
Issue Tracking · cve@mitre.org
https://github.com/vinicius-batistella/CVE-2025-65741/
Exploit, Third Party Advisory · cve@mitre.org
https://www.sublimetext.com/3
Product · cve@mitre.org
https://github.com/vinicius-batistella/CVE-2025-65741/
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0