Security experts have issued a warning regarding two popular utilities, macOS textutil and KeePassXC, indicating potential vulnerabilities when these tools are used in automated workflows that process inputs from untrusted sources.
Potential Threats Identified
The issues identified do not stem from typical software vulnerabilities. Instead, they highlight how features, which are usually reliable, can pose security threats when they cross unanticipated trust boundaries.
These findings are not related to faulty code. There is no mention of memory leaks, bypassing authentication, or executing unauthorized code. The concerns arise from the design of the system and not the software itself.
Unexpected Behavior in Automated Systems
Automated processes generally assume local utilities are safe and operate offline. When these assumptions are incorrect, it can lead to unforeseen network requests, resource depletion, and exposure of critical backend systems to external manipulation without any alerts.
Research from Cipher Security Labs was conducted on macOS 26.3 (Build 25D125) using a local KeePassXC 2.8.0-snapshot build. The tests demonstrated these behaviors through differential command-line workflows.
According to the researchers, neither tool is defective. The core issue lies in the assumptions made by engineers and system architects, which often overestimate the safety of these tools.
Examining macOS textutil and KeePassXC
The first case involves macOS textutil, a system utility found at /usr/bin/textutil, frequently used in scripts and backend processes to convert documents. This utility is often assumed to be safe for offline use.
However, when textutil processes HTML files with external references, such as images or stylesheets, it fetches these resources over the internet. Systems that consider document conversion to be a local operation do not account for this behavior.
Testing showed that HTML files without external references did not generate outbound requests, whereas those with remote resources initiated live requests, functioning similarly to server-side request forgery (SSRF).
The second case concerns KeePassXC, specifically its handling of key derivation function (KDF) parameters in KDBX files. These parameters are meant to slow down decryption attempts to thwart brute-force attacks.
Researchers found that a KDBX file could include extreme transform-round values, significantly increasing processing time. A standard file might take 0.06 seconds, but a crafted file could take 7.35 seconds, a 119-fold increase.
Recommendations and Precautions
Researchers suggest using the -noload flag with textutil, running conversion processes in isolated environments, sanitizing HTML inputs, and applying strict egress filtering.
For KeePassXC, they recommend setting limits on KDF parameters, issuing warnings for extreme values, enforcing time limits for file processing, and isolating file handling from critical operations.
For ongoing updates, follow us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google to stay informed.
