Splashin iOS
CVE-2025-45157
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Location data constitutes sensitive personal information warranting C:H; description implies read-only access only, so I:N; AV:N/PR:N confirmed by unauthenticated API bypass.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Insecure permissions in Splashin iOS v2.0 allow unauthorized attackers to access location data for specific users.
AnalysisAI
Insecure permissions in Splashin iOS v2.0 expose precise location data for targeted users to unauthenticated network attackers via broken access control. The flaw, classified under CWE-284 (Improper Access Control), allows any remote party to query location information without credentials, bypassing the application's intended authorization model. No public exploit identified at time of analysis is inaccurate here - a publicly available proof-of-concept is documented in the referenced researcher disclosure, though EPSS remains low (0.24%, 15th percentile), suggesting opportunistic exploitation has not yet materialized at scale.
Technical ContextAI
The affected product is Splashin v2.0, an iOS application (iPhone OS), as confirmed by CPE cpe:2.3:a:splashin:splashin:2.0:*:*:*:*:iphone_os:*:*. The root cause is CWE-284 (Improper Access Control), a class of vulnerability where the application fails to enforce authorization checks on sensitive operations - in this case, API endpoints or data retrieval paths that expose GPS or network-derived location coordinates for individual users. On iOS platforms, apps are expected to enforce both OS-level permission grants and server-side authorization; this flaw indicates a gap on the server or API layer, where location queries can be made without presenting valid credentials or session tokens. The 'Authentication Bypass' tag in the intelligence data corroborates that the permission enforcement mechanism is absent or bypassable rather than merely misconfigured.
RemediationAI
No vendor-released patch has been identified at time of analysis; the only reference is a researcher-authored disclosure with no corresponding vendor response or fixed version noted. Affected users should consider removing the Splashin iOS application or revoking its iOS location permissions via Settings > Privacy & Security > Location Services until a patch is confirmed. Revoking iOS location permissions at the OS level mitigates local data access but may not prevent server-side location data already stored from being queried via the API flaw. Splashin backend operators, if any, should audit API endpoints for missing authorization middleware and enforce server-side authentication on all user data retrieval paths. Users seeking a compensating control should disable location sharing within the app entirely and monitor for a vendor response at the disclosure reference https://carterlasalle.github.io/splashin-cve-2025/splashin-1.pdf.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today