CVE-2024-14032

Twitch Studio LauncherHelper XPC Missing Authorization to Root File Write

CVSS 8.5 HIGHEPSS 0.2%CWE-862

Twitch Studio version 0.114.8 and prior contain a privilege escalation vulnerability in its privileged helper tool that allows local attackers to execute arbitrary code as root by exploiting an unprotected XPC service. Attackers can invoke the installFromPath:toPath:withReply: method to overwrite system files and privileged binaries, achieving full system compromise. Twitch Studio was discontinued in May 2024.

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Twitch · Twitch Studio

public PoCs found — 1

cve_referencewww.iru.com/blog/twitch-privileged-helperunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://help.twitch.tv/s/article/recommended-software-for-broadcasting https://help.twitch.tv/s/topic/0TO3a000000kZfYGAU/twitch-studio https://www.iru.com/blog/twitch-privileged-helper https://www.vulncheck.com/advisories/twitch-studio-launcherhelper-xpc-missing-authorization-to-root-file-write