What is the CVSS score of CVE-2025-43229?

CVE-2025-43229 has a CVSS 3.1 base score of 6.1 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

macOS CVE-2025-43229

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2025-07-30 product-security@apple.com

XSS Apple macOS Safari

6.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 02, 2026 - 19:37 vuln.today

CVE Published

Jul 30, 2025 - 00:15 nvd

MEDIUM 6.1

DescriptionNVD

This issue was addressed through improved state management. This issue is fixed in Safari 18.6, macOS Sequoia 15.6. Processing maliciously crafted web content may lead to universal cross site scripting.

AnalysisAI

Universal cross-site scripting (XSS) in Safari and macOS allows remote attackers to execute arbitrary JavaScript in the context of visited websites by processing maliciously crafted web content. The vulnerability affects Safari 18.5 and earlier, and macOS Sequoia 15.5 and earlier, and is fixed in Safari 18.6 and macOS Sequoia 15.6. Attack requires user interaction (clicking a malicious link or visiting a compromised site) but carries no authentication requirement. EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.

Technical ContextAI

This XSS vulnerability (CWE-79) stems from improper state management in Safari's web content processing engine, allowing attackers to bypass same-origin policy protections that normally isolate scripts executed in different security contexts. The flaw affects Apple's WebKit rendering engine, which powers Safari on macOS. The vulnerability is classified as a reflected or stored XSS variant where maliciously crafted HTML, JavaScript, or other web content triggers the state management failure, enabling scripts to access sensitive data or perform actions across multiple origins. The network-based attack vector combined with required user interaction (UI:R) means the exploit must trick users into visiting attacker-controlled or compromised websites.

RemediationAI

Vendor-released patch: Update to Safari 18.6 or macOS Sequoia 15.6 or later. Apple users should navigate to System Preferences > General > Software Update (macOS) or Settings > General > About > Software Update (Safari on iOS) to install the patched versions. The fix addresses the underlying state management issue through improved handling of web content processing contexts. No workarounds are available for unpatched systems; patching is the only remediation. Administrators managing macOS deployments should use Mobile Device Management (MDM) or similar tools to enforce timely updates. Complete patch details are available in Apple's security advisories at https://support.apple.com/en-us/124149 and https://support.apple.com/en-us/124152.

More from same product – last 7 days

CVE-2026-44739 HIGH This Week

8.7 May 27

SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config

CVE-2026-5817 HIGH This Week

8.2 May 22

Arbitrary code execution in Docker Model Runner's vllm-metal inference backend on macOS allows any container on the Dock

CVE-2026-5843 HIGH This Week

8.2 May 22

Arbitrary code execution in Docker Desktop's Model Runner on macOS allows any container on the Docker network to escape

CVE-2025-43306 HIGH This Week

7.8 May 26

Local privilege escalation in Apple macOS allows a malicious app already running with low privileges to elevate to root

CVE-2026-49237 HIGH This Week

7.8 May 28

Local privilege escalation in Canonical Multipass for macOS before 1.16.3 allows a low-privileged local user to obtain r

CVE-2025-43229 vulnerability details – vuln.today

Back