Researchers Warn macOS textutil and KeePassXC Can Become Attack Primitives in Automation

HomeCyber Security News Researchers Warn macOS textutil and KeePassXC Can Become Attack Primitives in Automation By Tushar Subhra Dutta April 27, 2026 Security researchers have raised a warning about two widely trusted tools, macOS textutil and KeePassXC, showing that both can become dangerous when placed inside automated pipelines that process attacker-controlled input. The findings do not point to traditional software flaws. Instead, they reveal how correct, well-designed features can turn into security risks the moment they cross the wrong trust boundary. The issue is not about broken code. There is no memory corruption, no authentication bypass, and no code execution involved in either case. The risk lives at the system design level, not inside the binary. Automated pipelines commonly treat local utilities as safe, offline, and bounded by default. When those assumptions turn out to be wrong, they open the door to unexpected network requests, resource exhaustion, and exposure of trusted backend infrastructure to outside influence without triggering any visible alert. Cipher Security Labs researchers identified both behaviors during controlled testing on macOS 26.3 (Build 25D125) using a local KeePassXC 2.8.0-snapshot build alongside repeatable differential command-line workflows. Their findings made it clear that neither tool is defective. The real issue, as they explained, is that engineers and system builders routinely assume a safer behavior model than reality actually provides. The vulnerability is not the tool itself but the assumptions teams construct around it. The first case involves macOS textutil, a system binary at /usr/bin/textutil used in scripts, CI jobs, and backend workers to convert or normalize documents. Engineers commonly treat it as offline-safe since it is a local, mature utility that only processes files already on the system. The problem is that when textutil converts an HTML file containing remote references such as images or linked stylesheets, it silently fetches those resources over the network. A pipeline that assumes document conversion is a purely local, bounded operation does not account for this side effect at all. The tests confirmed that plain HTML with no remote references produced zero outbound requests, while HTML containing remote image and stylesheet links triggered live HTTP fetches. Differential textutil Test – Control vs Remote HTML Input (Source – Cipher Security Labs) In a backend environment where an attacker supplies the HTML and the conversion worker has network access, this behavior functions as a server-side request primitive, similar in effect to server-side request forgery (SSRF), even though textutil operates exactly as intended. Inside the KeePassXC KDF Boundary Problem The second case focuses on how KeePassXC handles key derivation function (KDF) parameters stored inside KDBX database files. Password managers are intentionally slow at key derivation because each unlock attempt must be computationally expensive enough to resist offline brute-force attacks. This is a security feature by design, not a software defect. The concern researchers raised is that a crafted KDBX file can embed extreme transform-round values in its own metadata. When any system opens or processes that file, it must complete all the derivation work the file defines before moving forward. KeePassXC KDF Timing – Baseline vs Crafted Testcase (Source – Cipher Security Labs) A standard KDBX file with roughly 1,000,000 transform rounds took about 0.06 seconds. A crafted file with 353,321,536 rounds took approximately 7.35 seconds, a slowdown factor of 119 times. Testcase layout (Source – Cipher Security Labs) While this confirms this cost comes entirely from metadata, not file size. For a single user manually opening one personal database, this delay is manageable at most. For automated systems that scan, validate, or batch-process many KDBX files at once, the same behavior can exhaust CPU resources, stall workers, and degrade overall service availability. The researchers were clear that no passwords were exposed and no cryptographic primitive was broken in this process. The risk is entirely about resource-consumption driven by attacker-supplied metadata embedded inside the file. Researchers recommend that teams using textutil in untrusted-input pipelines apply the -noload flag, run conversion workers inside sandboxed environments, sanitize remote-bearing HTML before processing, and enforce deny-by-default egress filtering. For KeePassXC deployments, recommendations include applying maximum KDF parameter thresholds, displaying explicit warnings before processing extreme values, enforcing bounded processing time per file, and isolating untrusted file handling from critical operational paths. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Use Fake CAPTCHA Pages to Trigger Costly International SMS Fraud ‘fast16’ Malware with Sabotage Capabilities Attacking Ultra Expensive Targets Cybercriminals Exploit French Fintech Accounts to Move Stolen Money Before Detection Hackers Use Lotus Wiper to Destroy Drives and Delete Files in Energy Sector Attack ADT Confirms Data Breach Following ShinyHunters Data Leak Claim Latest News Cyber Security ClickUp’s Hardcoded API Key Exposes 959 Emails from Fortune 500 Giants Cyber Security News Critical Gemini CLI Vulnerability Enables Remote Code Execution Attacks Cyber Security News New Vidar Malware Campaign Uses Fake YouTube Software Downloads to Steal Corporate Credentials Cyber Security News New Malware Uses Obfuscation and Staged Payload Delivery to Evade Detection Uncategorized Hackers Using Fake Income Tax Department’s Notice to Deploy Malware