Cyber Resilience

CVE-2025-65741

CriticalPublic PoC

Published: 09 December 2025

Published
09 December 2025
Modified
02 January 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 34.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-65741 is a critical-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Sublimetext Sublime Text 3. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-65741 is a Dylib Injection vulnerability (CWE-427) affecting Sublime Text 3 Build 3208 and prior versions on macOS. Published on 2025-12-09, it enables an attacker to compile a malicious .dylib file and force its execution within the context of the Sublime Text application. The issue carries a critical CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severe potential impact.

Any remote attacker can exploit this vulnerability without privileges or user interaction, leveraging its network accessibility and low attack complexity. Successful exploitation allows arbitrary code execution in the Sublime Text process context, granting high levels of confidentiality, integrity, and availability compromise.

Mitigation details are available in advisories referenced at https://github.com/sublimehq/sublime_text, https://www.sublimetext.com/3, and https://github.com/vinicius-batistella/CVE-2025-65741/. Security practitioners should consult these sources for patching guidance and updates beyond Build 3208.

EU & UK References

Vulnerability details

Sublime Text 3 Build 3208 or prior for MacOS is vulnerable to Dylib Injection. An attacker could compile a .dylib file and force the execution of this library in the context of the Sublime Text application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1574.004 Dylib Hijacking Stealth
Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime.
Why these techniques?

The vulnerability is a Dylib Injection flaw (CWE-427, untrusted search path) enabling arbitrary code execution in Sublime Text via malicious .dylib, directly mapping to Exploitation for Client Execution (T1203) and Dylib Hijacking (T1574.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32172Shared CWE-427
CVE-2024-9493Shared CWE-427
CVE-2024-9495Shared CWE-427
CVE-2026-24502Shared CWE-427
CVE-2024-57963Shared CWE-427
CVE-2026-23741Shared CWE-427
CVE-2025-33229Shared CWE-427
CVE-2025-21127Shared CWE-427
CVE-2026-22619Shared CWE-427
CVE-2025-48503Shared CWE-427

Affected Assets

sublimetext
sublime text 3
≤ 3.2.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-65741 by requiring timely patching of Sublime Text 3 to versions beyond Build 3208, addressing the Dylib Injection flaw.

detect

Scans for and identifies vulnerable installations of Sublime Text 3 Build 3208 or prior affected by the Dylib Injection vulnerability.

preventdetect

Provides defense-in-depth by scanning for and blocking malicious .dylib files that exploit the Sublime Text Dylib Injection vulnerability.

References