Perplexity macOS CVE-2025-0599 reveals agentic desktop attack surface
A critical CORS misconfiguration in Perplexity AI’s macOS app (CVE-2025-0599) exposed local files and spotlights broader security risks in agentic desktop AI. A deep dive describes how an embedded local server behind Perplexity’s macOS app (“Comet”) accepted cross-origin requests from anywhere, enabling drive‑by commands and potential local file exfiltration—an archetypal pitfall as AI tools rush from browser to desktop [WebProNews analysis](https://www.webpronews.com/the-unintended-window-perplexity-ais-browser-flaw-and-the-rush-to-desktop-dominance/). The pattern is familiar to backend teams: localhost bindings without strict origin checks, missing CSRF, and permissive CORS that effectively turns the loopback into a target. Framed against how [agentic AI works](https://www.blackfog.com/cybersecurity-101/agentic-ai/)—multi‑step planning, tool use, and autonomous action—the blast radius of such flaws expands because agents routinely touch credentials, files, and internal APIs. That autonomy demands tighter guardrails than typical chat UXs. An InfoWorld investigation into the OpenClaw agent ecosystem on “Moltbook” shows operational realities: a human easily masqueraded as a bot using Claude Code, encountering spammy prompts to run commands and share wallets—underscoring why agent communities and toolchains must be treated as untrusted inputs with strong sandboxing, permissions, and audit trails [InfoWorld report](https://www.infoworld.com/article/4138099/what-i-learned-as-an-undercover-agent-on-moltbook.html).