Input Validation Flaw in Safari and Apple Products
CVE-2025-24180

8.1HIGH

Key Information:

Vendor: Apple
Status: iOS And iPad OS; Mac OS; Visionos; Safari
Vendor: CVE Published:; 31 March 2025

Summary

An input validation vulnerability has been identified that could allow a malicious website to claim WebAuthn credentials from another website sharing a registrable suffix. This could potentially expose users to security risks, as it enables unauthorized access to sensitive credentials without proper user consent. The issue has been addressed in recent updates across various Apple platforms, improving overall security and protecting user information.

Affected Version(s)

iOS and iPadOS < 18.4

macOS < 15.4

Safari < 18.4

References

https://support.apple.com/en-us/122371

https://support.apple.com/en-us/122373

https://support.apple.com/en-us/122378

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 31, 2025
Vulnerability Reserved
Jan 17, 2025