iOS CVE-2025-43227
HIGHCVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionNVD
This issue was addressed through improved state management. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6, watchOS 11.6. Processing maliciously crafted web content may disclose sensitive user information.
AnalysisAI
Information disclosure vulnerability in WebKit across Apple's ecosystem allows unauthenticated remote attackers to extract sensitive user information through maliciously crafted web content. The flaw affects Safari 18.x, iOS/iPadOS 18.x, macOS Sequoia 15.x, tvOS 18.x, visionOS 2.x, and watchOS 11.x, stemming from improper state management (CWE-359). Despite a CVSS score of 7.5, real-world exploitation risk remains relatively low with 0.13% EPSS probability and no public exploit identified at time of analysis. Vendor-released patches are available across all affected platforms.
Technical ContextAI
This vulnerability resides in WebKit, Apple's browser engine powering Safari and all web rendering across iOS, macOS, tvOS, visionOS, and watchOS. The root cause is classified as CWE-359 (Exposure of Private Personal Information to an Unauthorized Actor), resulting from inadequate state management during web content processing. State management flaws in browser engines typically involve improper isolation between security contexts, failure to clear sensitive data from memory between operations, or incorrect handling of cross-origin resource boundaries. WebKit's shared architecture across Apple's ecosystem means a single vulnerability affects seven distinct product lines, making this a widespread cross-platform issue. The flaw allows passive information leakage without requiring code execution, suggesting it may exploit timing channels, cache side-effects, or improper data sanitization in browser state transitions.
RemediationAI
Apply the vendor-released patches immediately through standard Apple update mechanisms. For macOS users, upgrade to macOS Sequoia 15.6 via System Settings > General > Software Update (advisory https://support.apple.com/en-us/124147). iOS and iPadOS users should update to version 18.6 through Settings > General > Software Update (advisories https://support.apple.com/en-us/124149 and https://support.apple.com/en-us/124152). Safari users on supported macOS versions should update to Safari 18.6 (advisory https://support.apple.com/en-us/124153). Additional platform updates include tvOS 18.6 (advisory https://support.apple.com/en-us/124154), visionOS 2.6 (advisory https://support.apple.com/en-us/124155), and watchOS 11.6. Organizations managing Apple devices through MDM should push these updates centrally. As an interim mitigation where immediate patching is not feasible, restrict web browsing to trusted content sources and consider implementing network-level content filtering, though these measures provide limited protection against a client-side information disclosure vulnerability. No effective workaround exists that maintains full browser functionality while eliminating risk.
More from same product – last 7 days
SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config
Arbitrary code execution in Docker Model Runner's vllm-metal inference backend on macOS allows any container on the Dock
Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to escape
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today