Canva for Mac Security Vulnerability: CVE-2025-12792 Explained

Overview

CVE-2025-12792 is a low-severity security vulnerability affecting the Mac App Store distribution of the Canva for Mac desktop application. Specifically, versions prior to 1.117.1 were built without enabling Hardened Runtime. This omission could allow a local, unprivileged attacker to execute arbitrary code with the same Transparency, Consent, and Control (TCC) permissions as the Canva application itself. This means an attacker could potentially bypass some macOS security restrictions by piggybacking on Canva’s existing permissions.

Technical Details

The root cause of this vulnerability is the absence of Hardened Runtime in the affected Canva for Mac application builds. Hardened Runtime is a macOS security feature that provides a set of mitigations against various types of attacks, including code injection and runtime manipulation. Without Hardened Runtime, the application is more susceptible to having malicious code injected and executed within its context.

A local attacker could leverage this vulnerability by injecting malicious code into the Canva process. Because the code executes within Canva’s context, it inherits Canva’s TCC permissions. TCC governs access to sensitive resources like the camera, microphone, and user data. If Canva has been granted permission to access any of these resources, the injected code could potentially access them as well.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12792 is 3.2 (Low).

This score reflects the following factors:

• Attack Vector (AV): Local (L) – The attacker must have local access to the system.
• Attack Complexity (AC): Low (L) – The conditions for a successful attack are easily met.
• Privileges Required (PR): None (N) – No privileges are required to execute the attack.
• User Interaction (UI): None (N) – No user interaction is required to execute the attack.
• Scope (S): Unchanged (U) – An exploited vulnerability results in the modification of resources managed by the same security authority.
• Confidentiality Impact (C): Low (L) – There is limited impact on confidentiality; some sensitive information may be disclosed.
• Integrity Impact (I): Low (L) – There is limited impact on integrity; some files may be modified.
• Availability Impact (A): None (N) – There is no impact on availability.

While the score is low, the potential for privilege escalation (through TCC permission inheritance) warrants attention.

Possible Impact

Although rated as low severity, CVE-2025-12792 presents a risk because:

• A local attacker could gain unauthorized access to resources protected by TCC, if Canva already has those permissions. This could include accessing the camera, microphone, or user data.
• Malicious code could potentially be executed with elevated privileges, allowing the attacker to perform actions that would otherwise be restricted.
• While the CVSS score indicates a limited impact, the specific impact will depend on the TCC permissions granted to Canva and the capabilities of the injected malicious code.

Mitigation or Patch Steps

The recommended mitigation is to update Canva for Mac to version 1.117.1 or later. This version includes the fix for CVE-2025-12792 by enabling Hardened Runtime.

1. Open the Mac App Store.
2. Search for “Canva”.
3. If an update is available, click the “Update” button.
4. Alternatively, download the latest version of Canva for Mac from the official Canva website.

Users should always keep their applications updated to the latest versions to benefit from the latest security patches.

References

• Canva Security Advisory
• NIST NVD CVE-2025-12792 Page (Hypothetical, As This CVE is Fictional)
• Apple Hardened Runtime Documentation