Sublime Text 3 Build 3208 or prior for MacOS is vulnerable to Dylib Injection. An attacker could compile a .dylib file and force the execution of this library in the context of the Sublime Text application.
The attack involves compiling a malicious dynamic library (.dylib) and placing it in a location searched by the application during dependency loading. Since Sublime Text 3 does not sufficiently verify library search paths, the malicious .dylib file is loaded and executed with the privileges of the application process. No user interaction is required beyond launching the vulnerable application.
An attacker can execute arbitrary code in the context of the Sublime Text process, which may lead to unauthorized access to user data, privilege escalation, or system compromise — in accordance with the CVSS vector indicating complete breach of confidentiality, integrity, and availability.
Sublime Text should be updated to a version higher than Build 3208 or upgraded to Sublime Text 4. It is recommended to apply the principle of least privilege and restrict write permissions to directories searched by the application. Patches available from the vendor should be applied according to the references.
Sublime Text 3 Build 3208 and earlier on macOS.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSublimetext Sublime Text 3
APPSublimetext< 3.2.2