DaVinci Resolve video editor enables rights expansion in macOS

The Polish CERT warns of a security vulnerability in the video editing and post-processing software DaVinci Resolve. Attackers can abuse it to elevate rights in the system or use it to perform Dylib hijacking.

In a security advisory, CERT.pl explains that the DaVinci Resolve app is installed in macOS with incorrect access rights for the file, namely "rwxrwxrwx". For security reasons, however, the standard practice under macOS is "drwxr-xr-x" for the access rights in the file system(CVE-2025-1413, CVSS 9.2, risk"critical"). The permissions are in the usual Unix notation order read (r), write (w) and execute (x) for file/folder owner, group and other. "Incorrect access rights enable Dylib hijacking. Guest accounts, other users and applications can abuse the vulnerability to extend access rights," write the IT security researchers in the security release.

DaVinci Resolve: update available

According to CERT.pl, DaVinci Resolve is vulnerable to this vulnerability in all versions prior to 19.1.3. The project has now released version 19.1.3 to close the vulnerability.

Due to the severity of the vulnerability, DaVinci Resolve users should update to the provided updated version as soon as possible. It is available for various operating systems after clicking on the "Free Download Now" button on the DaVinci Resolve website. The updated version is also available in the Mac App Store, for example.

DaVinci Resolve is powerful even in the free version and is also very popular because of its price. For example, it is ideal for creating reels and short videos that are important for social media such as YouTube, Tiktok or Instagram. We also provide a video tutorial on heise online that explains how to do this easily.

(dmk)