Stored HTML Injection Vulnerability in Time Machine by Apple
CVE-2025-40891

2.3LOW

Key Information:

Vendor: Nozomi Networks
Status: Guardian; Cmc
Vendor: CVE Published:; 18 December 2025

🔔 Create Nozomi Networks Vulnerability Alert

What is CVE-2025-40891?

A vulnerability exists in Apple Time Machine that allows an unauthenticated attacker to exploit the Snapshot Diff functionality. This exploitation arises from improper validation of incoming network traffic data, enabling the injection of HTML tags into attributes of assets across different snapshots. To exploit this vulnerability, a user must access the Time Machine Snapshot Diff feature and execute specific graphical user interface actions. The result is that the injected HTML executes in their browser, potentially leading to phishing and open redirect incidents. While effective input validation and a Content Security Policy are in place to mitigate risks, the complex nature of the attack, necessitating multiple conditions, raises concerns about user security.

Affected Version(s)

CMC 0 < 25.5.0

Guardian 0 < 25.5.0

References

https://security.nozominetworks.com/NN-2025:12-01

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

This issue was found by Stefano Libero and Andrea Palanca of Nozomi Networks Product Security team during an internal investigation.

JSON