Same Origin Policy Bypass Vulnerability in Apple Safari and Related Platforms
CVE-2025-30466

9.8CRITICAL

Key Information:

Vendor

Apple

Vendor
CVE Published:
29 May 2025

What is CVE-2025-30466?

CVE-2025-30466 is a vulnerability affecting Apple Safari and related platforms that allows for a bypass of the Same Origin Policy (SOP). The Same Origin Policy is a critical security feature implemented in web browsers that restricts how documents or scripts loaded from one origin can interact with resources from another origin. This vulnerability can result in security implications for organizations by allowing malicious websites to obtain sensitive information from other domains, potentially exposing user data and session information. The issue has been addressed through improved state management in the latest software updates for Safari, iOS, iPadOS, visionOS, and macOS Sequoia. Organizations using these platforms are at risk if they do not update to the fixed versions, opening themselves up to various attack vectors.

Potential impact of CVE-2025-30466

  1. Data Leakage: The vulnerability allows an attacker on a malicious site to gain unauthorized access to data and information from trusted domains. This could lead to the exposure of sensitive user data to cybercriminals, increasing the risk of identity theft and financial fraud.

  2. Session Hijacking: By exploiting this vulnerability, attackers could hijack user sessions from other websites, which may enable them to impersonate legitimate users and perform unauthorized actions, thereby undermining the integrity of user accounts and applications.

  3. Regulatory Compliance Risks: Organizations that fail to address this vulnerability may face challenges surrounding compliance with data protection regulations. Data breaches resulting from successful exploitation could lead to legal consequences and reputational damage, affecting stakeholder trust.

Affected Version(s)

iOS and iPadOS < 18.4

macOS < 15.4

Safari < 18.4

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.