Skip to main content

Splashin iOS CVE-2025-45156

MEDIUM
2025-07-18 cve@mitre.org
5.3
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
5.4 MEDIUM

PR:L reflects the required free-tier account; I:L captures the business logic bypass granting unauthorized tier capabilities; A:L retained for API flooding risk.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 05, 2026 - 02:11 vuln.today
CVE Published
Jul 18, 2025 - 17:15 cve.org
MEDIUM 5.3

DescriptionCVE.org

Splashin iOS v2.0 fails to enforce server-side interval restrictions for location updates for free-tier users.

AnalysisAI

Splashin iOS v2.0 fails to enforce server-side rate limiting on location update frequency for free-tier accounts, allowing free users to bypass tier-based restrictions and submit location updates at an unrestricted rate. Confirmed by CPE (cpe:2.3:a:splashin:splashin:2.0:*:*:*:*:iphone_os:*:*), this business logic flaw exposes the platform's API to abuse by any free-tier account holder. A publicly available proof-of-concept is referenced via NVD exploit tag; EPSS sits at 0.36% (28th percentile), indicating low probability of widespread automated exploitation.

Technical ContextAI

Splashin is an iOS application identified by CPE cpe:2.3:a:splashin:splashin:2.0:*:*:*:*:iphone_os:*:*. The flaw represents a server-side business logic enforcement failure: the backend API accepting location update payloads does not validate whether the requesting free-tier user has satisfied the minimum permitted interval since their last submission. This is a textbook client-side restriction without server-side enforcement pattern - the interval restriction exists in application logic but is not enforced at the API layer. No CWE is officially assigned; the closest classifications would be CWE-799 (Improper Control of Interaction Frequency) and CWE-602 (Client-Side Enforcement of Server-Side Security). The 'Information Disclosure' tag noted in the intelligence data conflicts with the CVSS C:N metric; in a location-sharing context, unrestricted update frequency could expose finer-grained location trails than the free tier is designed to permit, though this confidentiality dimension is not reflected in the official CVSS score.

RemediationAI

The primary fix is implementing server-side enforcement of location update intervals for free-tier accounts: the server must persist each user's last accepted update timestamp and reject or queue any subsequent request arriving before the minimum permitted interval, returning HTTP 429 with a Retry-After header to signal rate limiting. This check must occur at the API layer, not the client, to prevent bypass. Until a patched release is available, the vendor can implement a rate-limiting middleware (e.g., token bucket or sliding-window counter keyed to user ID and tier) at the API gateway level - the trade-off is added latency for all location update requests, which is acceptable given the low-frequency nature of the feature. No vendor-released patched version has been identified in available data; the researcher PDF at https://carterlasalle.github.io/splashin-cve-2025/splashin-1.pdf may contain additional remediation details. Users cannot self-remediate at the client level.

Share

CVE-2025-45156 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy