Skip to main content

Safari CVE-2025-43526

CRITICAL
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2025-12-17 product-security@apple.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Apr 02, 2026 - 19:37 vuln.today
CVE Published
Dec 17, 2025 - 21:16 nvd
CRITICAL 9.8

DescriptionCVE.org

This issue was addressed with improved URL validation. This issue is fixed in Safari 26.2, macOS Tahoe 26.2. On a Mac with Lockdown Mode enabled, web content opened via a file URL may be able to use Web APIs that should be restricted.

AnalysisAI

Apple Safari and macOS Lockdown Mode can be bypassed to access restricted Web APIs through maliciously crafted file URLs due to insufficient URL validation. Affects Safari 26.2 and macOS Tahoe 26.2 on systems with Lockdown Mode enabled. Remote attackers can potentially execute high-impact attacks leveraging APIs meant to be restricted in high-security configurations. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability. No public exploit identified at time of analysis. This represents a serious compromise of Apple's enhanced security feature designed to protect high-risk users from targeted attacks.

Technical ContextAI

Apple's Lockdown Mode is an optional security feature introduced to protect users facing targeted digital threats by restricting certain Web APIs and advanced browser features. This vulnerability stems from inadequate URL validation (CWE-601: URL Redirection to Untrusted Site) in how Safari and macOS handle file:// protocol URLs when Lockdown Mode is active. The flaw allows file-based web content to bypass the restricted API enforcement mechanism, effectively neutralizing protections intended to limit attack surface against sophisticated adversaries. The affected products are Apple Safari browser (all versions prior to 26.2) and macOS operating system (versions prior to Tahoe 26.2). The vulnerability specifically undermines the trust boundary that should exist between local file content and web-origin-based security policies, allowing file URLs to access capabilities that Lockdown Mode explicitly aims to disable for threat mitigation.

RemediationAI

Vendor-released patches are available and users should immediately update to Safari 26.2 and macOS Tahoe 26.2 (macOS 26.2), which address this issue through improved URL validation mechanisms. Organizations and individuals using Lockdown Mode should prioritize these updates as the feature's security guarantees are compromised in unpatched versions. Update Safari through the App Store or System Preferences Software Update mechanism, and update macOS through System Preferences/System Settings Software Update. Detailed installation guidance is provided in Apple's security advisories at https://support.apple.com/en-us/125886 (Safari) and https://support.apple.com/en-us/125892 (macOS). No effective workaround exists aside from disabling Lockdown Mode entirely, which would eliminate the intended security protections for high-risk users. Users should avoid opening untrusted file URLs or downloading files from unknown sources until systems are patched, particularly when Lockdown Mode is enabled.

More in Safari

View all
CVE-2017-2547 HIGH POC
8.8 May 22

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2014-1303 CRITICAL POC
10.0 Mar 26

Heap-based buffer overflow in Apple Safari 7.0.2 allows remote attackers to execute arbitrary code and bypass a sandbox

CVE-2023-43000 HIGH POC
8.8 Nov 05

A use-after-free issue was addressed with improved memory management. Rated high severity (CVSS 8.8), this vulnerability

CVE-2016-4622 HIGH
8.8 Jul 22

WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrar

CVE-2015-1155 MEDIUM POC
4.3 May 08

The history implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, allo

CVE-2015-1126 MEDIUM POC
4.3 Apr 10

WebKit, as used in Apple iOS before 8.3 and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, does not

CVE-2017-2446 HIGH POC
8.8 Apr 02

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13802 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13795 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13794 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13792 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

CVE-2017-13785 HIGH POC
8.8 Nov 13

An issue was discovered in certain Apple products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploi

Share

CVE-2025-43526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy