CVE-2025-43229

MEDIUM
2025-07-30 [email protected]
6.1
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Jul 30, 2025 - 00:15 nvd
MEDIUM 6.1

Tags

Apple Safari macOS XSS

Description

This issue was addressed through improved state management. This issue is fixed in Safari 18.6, macOS Sequoia 15.6. Processing maliciously crafted web content may lead to universal cross site scripting.

Analysis

Universal cross-site scripting (XSS) in Safari and macOS allows remote attackers to execute arbitrary JavaScript in the context of visited websites by processing maliciously crafted web content. The vulnerability affects Safari 18.5 and earlier, and macOS Sequoia 15.5 and earlier, and is fixed in Safari 18.6 and macOS Sequoia 15.6. Attack requires user interaction (clicking a malicious link or visiting a compromised site) but carries no authentication requirement. EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.

Technical Context

This XSS vulnerability (CWE-79) stems from improper state management in Safari's web content processing engine, allowing attackers to bypass same-origin policy protections that normally isolate scripts executed in different security contexts. The flaw affects Apple's WebKit rendering engine, which powers Safari on macOS. The vulnerability is classified as a reflected or stored XSS variant where maliciously crafted HTML, JavaScript, or other web content triggers the state management failure, enabling scripts to access sensitive data or perform actions across multiple origins. The network-based attack vector combined with required user interaction (UI:R) means the exploit must trick users into visiting attacker-controlled or compromised websites.

Affected Products

Apple Safari versions prior to 18.6 and Apple macOS Sequoia versions prior to 15.6 are affected, as indicated by the CPE strings cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* and cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*. Specific version boundaries indicate Safari 18.5 and earlier, and macOS Sequoia 15.5 and earlier contain the vulnerable code. Affected systems running these versions should prioritize upgrading to Safari 18.6 or macOS Sequoia 15.6. Apple's official advisories at https://support.apple.com/en-us/124149 and https://support.apple.com/en-us/124152 provide comprehensive affected version details.

Remediation

Vendor-released patch: Update to Safari 18.6 or macOS Sequoia 15.6 or later. Apple users should navigate to System Preferences > General > Software Update (macOS) or Settings > General > About > Software Update (Safari on iOS) to install the patched versions. The fix addresses the underlying state management issue through improved handling of web content processing contexts. No workarounds are available for unpatched systems; patching is the only remediation. Administrators managing macOS deployments should use Mobile Device Management (MDM) or similar tools to enforce timely updates. Complete patch details are available in Apple's security advisories at https://support.apple.com/en-us/124149 and https://support.apple.com/en-us/124152.

Priority Score

31
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: 0

Share

CVE-2025-43229 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy