LOWCVE-2024-37885CVSS 3.8

CVE-2024-37885: Code Injection in Nextcloud Desktop Client

Q: What is CVE-2024-37885 — code injection in Nextcloud Desktop Client?

CVE-2024-37885 is a code injection vulnerability in the Nextcloud Desktop Client for macOS, allowing arbitrary code execution if `DYLD_INSERT_LIBRARIES` is exploited. It has a LOW severity rating.

Q: Am I affected by CVE-2024-37885 in Nextcloud Desktop Client?

You are affected if you are using Nextcloud Desktop Client for macOS versions prior to 3.12.0. Upgrade to the latest version to resolve the issue.

Q: How do I fix CVE-2024-37885 in Nextcloud Desktop Client?

Upgrade the Nextcloud Desktop Client to version 3.12.0 or later. As a temporary workaround, restrict access to the `DYLD_INSERT_LIBRARIES` environment variable.

Q: Is CVE-2024-37885 being actively exploited?

There is no confirmed active exploitation of CVE-2024-37885 at this time, but it's crucial to apply the patch proactively.

Q: Where can I find the official Nextcloud advisory for CVE-2024-37885?

Refer to the official Nextcloud security advisory for detailed information and updates: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)

Platform

nextcloud

Component

nextcloud-desktop

Fixed in

3.12.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2024-37885 describes a code injection vulnerability affecting the Nextcloud Desktop Client for macOS. This flaw allows an attacker to load arbitrary code when the client is launched with the DYLDINSERTLIBRARIES environment variable set. Versions of the Nextcloud Desktop Client prior to 3.12.0 are affected. A fix is available in version 3.12.0.

Impact and Attack Scenarios

The vulnerability lies in how the Nextcloud Desktop Client handles the DYLDINSERTLIBRARIES environment variable on macOS. If an attacker can control this environment variable, they can inject malicious code that will be executed when the client starts. This could lead to arbitrary code execution with the privileges of the Nextcloud Desktop Client process, potentially allowing an attacker to gain access to synchronized files, modify data, or compromise the user's system. The impact is limited by the client's permissions, but successful exploitation could still be significant.

Exploitation Context

This vulnerability was publicly disclosed on 2024-06-14. No public proof-of-concept (PoC) code has been released at the time of writing. The CVSS score is LOW (3.8), indicating a relatively low probability of exploitation. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureLow

EPSS

0.13% (32% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impactpartial

CVSS Vector

Affected Software

Componentnextcloud-desktop

Vendornextcloud

Affected rangeFixed in

< 3.12.0 – < 3.12.03.12.1

Weakness Classification (CWE)

CWE-94

Timeline

Reserved2024-06-10
Published2024-06-14
Modified2024-08-02
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2024-37885 is to upgrade the Nextcloud Desktop Client to version 3.12.0 or later. If upgrading is not immediately possible, restrict access to the DYLDINSERTLIBRARIES environment variable. This can be achieved by carefully controlling the environment in which the client is launched and ensuring that only trusted processes can modify it. Consider implementing stricter security policies around environment variable manipulation. After upgrade, confirm by launching the client and verifying that the DYLDINSERTLIBRARIES variable is not being exploited.

How to fix

Update the Nextcloud Desktop Client to version 3.12.0 or higher. This update addresses a code injection vulnerability that could allow arbitrary code execution. Download the latest version from the official Nextcloud website.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-37885 — code injection in Nextcloud Desktop Client?

CVE-2024-37885 is a code injection vulnerability in the Nextcloud Desktop Client for macOS, allowing arbitrary code execution if DYLDINSERTLIBRARIES is exploited. It has a LOW severity rating.

Am I affected by CVE-2024-37885 in Nextcloud Desktop Client?

You are affected if you are using Nextcloud Desktop Client for macOS versions prior to 3.12.0. Upgrade to the latest version to resolve the issue.

How do I fix CVE-2024-37885 in Nextcloud Desktop Client?

Upgrade the Nextcloud Desktop Client to version 3.12.0 or later. As a temporary workaround, restrict access to the DYLDINSERTLIBRARIES environment variable.

Is CVE-2024-37885 being actively exploited?

There is no confirmed active exploitation of CVE-2024-37885 at this time, but it's crucial to apply the patch proactively.

Where can I find the official Nextcloud advisory for CVE-2024-37885?

Refer to the official Nextcloud security advisory for detailed information and updates: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Search CVEs

What do these metrics mean?

Attack Vector: Local — attacker needs a local shell or interactive session on the system.
Attack Complexity: High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
Privileges Required: High — admin or privileged account required to exploit.
User Interaction: Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: Low — partial or indirect data access. Attacker gains limited information.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: Low — partial or intermittent denial of service. Attacker can degrade performance.