Skip to main content

Splashin iOS CVE-2025-45157

MEDIUM
Improper Access Control (CWE-284)
2025-07-18 cve@mitre.org
6.5
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
7.5 HIGH

Location data constitutes sensitive personal information warranting C:H; description implies read-only access only, so I:N; AV:N/PR:N confirmed by unauthenticated API bypass.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 05, 2026 - 02:12 vuln.today
CVE Published
Jul 18, 2025 - 17:15 cve.org
MEDIUM 6.5

DescriptionCVE.org

Insecure permissions in Splashin iOS v2.0 allow unauthorized attackers to access location data for specific users.

AnalysisAI

Insecure permissions in Splashin iOS v2.0 expose precise location data for targeted users to unauthenticated network attackers via broken access control. The flaw, classified under CWE-284 (Improper Access Control), allows any remote party to query location information without credentials, bypassing the application's intended authorization model. No public exploit identified at time of analysis is inaccurate here - a publicly available proof-of-concept is documented in the referenced researcher disclosure, though EPSS remains low (0.24%, 15th percentile), suggesting opportunistic exploitation has not yet materialized at scale.

Technical ContextAI

The affected product is Splashin v2.0, an iOS application (iPhone OS), as confirmed by CPE cpe:2.3:a:splashin:splashin:2.0:*:*:*:*:iphone_os:*:*. The root cause is CWE-284 (Improper Access Control), a class of vulnerability where the application fails to enforce authorization checks on sensitive operations - in this case, API endpoints or data retrieval paths that expose GPS or network-derived location coordinates for individual users. On iOS platforms, apps are expected to enforce both OS-level permission grants and server-side authorization; this flaw indicates a gap on the server or API layer, where location queries can be made without presenting valid credentials or session tokens. The 'Authentication Bypass' tag in the intelligence data corroborates that the permission enforcement mechanism is absent or bypassable rather than merely misconfigured.

RemediationAI

No vendor-released patch has been identified at time of analysis; the only reference is a researcher-authored disclosure with no corresponding vendor response or fixed version noted. Affected users should consider removing the Splashin iOS application or revoking its iOS location permissions via Settings > Privacy & Security > Location Services until a patch is confirmed. Revoking iOS location permissions at the OS level mitigates local data access but may not prevent server-side location data already stored from being queried via the API flaw. Splashin backend operators, if any, should audit API endpoints for missing authorization middleware and enforce server-side authentication on all user data retrieval paths. Users seeking a compensating control should disable location sharing within the app entirely and monitor for a vendor response at the disclosure reference https://carterlasalle.github.io/splashin-cve-2025/splashin-1.pdf.

Share

CVE-2025-45157 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy