Safari
CVE-2025-43229
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
This issue was addressed through improved state management. This issue is fixed in Safari 18.6, macOS Sequoia 15.6. Processing maliciously crafted web content may lead to universal cross site scripting.
AnalysisAI
Universal cross-site scripting (XSS) in Safari and macOS allows remote attackers to execute arbitrary JavaScript in the context of visited websites by processing maliciously crafted web content. The vulnerability affects Safari 18.5 and earlier, and macOS Sequoia 15.5 and earlier, and is fixed in Safari 18.6 and macOS Sequoia 15.6. Attack requires user interaction (clicking a malicious link or visiting a compromised site) but carries no authentication requirement. EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.
Technical ContextAI
This XSS vulnerability (CWE-79) stems from improper state management in Safari's web content processing engine, allowing attackers to bypass same-origin policy protections that normally isolate scripts executed in different security contexts. The flaw affects Apple's WebKit rendering engine, which powers Safari on macOS. The vulnerability is classified as a reflected or stored XSS variant where maliciously crafted HTML, JavaScript, or other web content triggers the state management failure, enabling scripts to access sensitive data or perform actions across multiple origins. The network-based attack vector combined with required user interaction (UI:R) means the exploit must trick users into visiting attacker-controlled or compromised websites.
RemediationAI
Vendor-released patch: Update to Safari 18.6 or macOS Sequoia 15.6 or later. Apple users should navigate to System Preferences > General > Software Update (macOS) or Settings > General > About > Software Update (Safari on iOS) to install the patched versions. The fix addresses the underlying state management issue through improved handling of web content processing contexts. No workarounds are available for unpatched systems; patching is the only remediation. Administrators managing macOS deployments should use Mobile Device Management (MDM) or similar tools to enforce timely updates. Complete patch details are available in Apple's security advisories at https://support.apple.com/en-us/124149 and https://support.apple.com/en-us/124152.
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
Heap-based buffer overflow in Apple Safari 7.0.2 allows remote attackers to execute arbitrary code and bypass a sandbox
A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability
WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrar
The history implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, allo
WebKit, as used in Apple iOS before 8.3 and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, does not
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today