Skip to main content

Safari CVE-2025-43229

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-07-30 product-security@apple.com
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Jul 30, 2025 - 00:15 nvd
MEDIUM 6.1

DescriptionCVE.org

This issue was addressed through improved state management. This issue is fixed in Safari 18.6, macOS Sequoia 15.6. Processing maliciously crafted web content may lead to universal cross site scripting.

AnalysisAI

Universal cross-site scripting (XSS) in Safari and macOS allows remote attackers to execute arbitrary JavaScript in the context of visited websites by processing maliciously crafted web content. The vulnerability affects Safari 18.5 and earlier, and macOS Sequoia 15.5 and earlier, and is fixed in Safari 18.6 and macOS Sequoia 15.6. Attack requires user interaction (clicking a malicious link or visiting a compromised site) but carries no authentication requirement. EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.

Technical ContextAI

This XSS vulnerability (CWE-79) stems from improper state management in Safari's web content processing engine, allowing attackers to bypass same-origin policy protections that normally isolate scripts executed in different security contexts. The flaw affects Apple's WebKit rendering engine, which powers Safari on macOS. The vulnerability is classified as a reflected or stored XSS variant where maliciously crafted HTML, JavaScript, or other web content triggers the state management failure, enabling scripts to access sensitive data or perform actions across multiple origins. The network-based attack vector combined with required user interaction (UI:R) means the exploit must trick users into visiting attacker-controlled or compromised websites.

RemediationAI

Vendor-released patch: Update to Safari 18.6 or macOS Sequoia 15.6 or later. Apple users should navigate to System Preferences > General > Software Update (macOS) or Settings > General > About > Software Update (Safari on iOS) to install the patched versions. The fix addresses the underlying state management issue through improved handling of web content processing contexts. No workarounds are available for unpatched systems; patching is the only remediation. Administrators managing macOS deployments should use Mobile Device Management (MDM) or similar tools to enforce timely updates. Complete patch details are available in Apple's security advisories at https://support.apple.com/en-us/124149 and https://support.apple.com/en-us/124152.

More in Safari

View all
CVE-2017-2547 HIGH POC
8.8 May 22

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2014-1303 CRITICAL POC
10.0 Mar 26

Heap-based buffer overflow in Apple Safari 7.0.2 allows remote attackers to execute arbitrary code and bypass a sandbox

CVE-2023-43000 HIGH POC
8.8 Nov 05

A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability

CVE-2016-4622 HIGH
8.8 Jul 22

WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrar

CVE-2015-1155 MEDIUM POC
4.3 May 08

The history implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, allo

CVE-2015-1126 MEDIUM POC
4.3 Apr 10

WebKit, as used in Apple iOS before 8.3 and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, does not

CVE-2017-2446 HIGH POC
8.8 Apr 02

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13802 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13795 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13794 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13792 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13785 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

Share

CVE-2025-43229 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy