Address Bar Spoofing Vulnerability in Apple iOS and Safari Products
CVE-2025-43493

4.3MEDIUM

Key Information:

Vendor

Apple
Status
iOS And iPad OS
Vendor
CVE Published:
4 November 2025

What is CVE-2025-43493?

CVE-2025-43493 is a vulnerability identified in Apple’s iOS and Safari products, referred to as an address bar spoofing vulnerability. This flaw could enable malicious actors to manipulate the address bar, obscuring the actual URL of the website being visited. By creating a deceptive user experience, attackers could trick users into thinking they are on a legitimate site while actually leading them to a malicious page. The implications of this vulnerability are significant, as it undermines user trust in web security, exposes sensitive information, and increases the risk of phishing attacks. The inherent design of iOS and Safari products to protect user data and enhance browsing security is compromised, creating potential openings for malicious activities.

The issue was mitigated through improved validation measures in subsequent updates, specifically in versions iOS 26.1, iPadOS 26.1, Safari 26.1, and visionOS 26.1. Organizations relying on Apple’s mobile and web platforms must remain vigilant and ensure their devices are updated to the latest software versions to minimize exposure to such vulnerabilities.

Potential impact of CVE-2025-43493

  1. Risk of Phishing Attacks: Given that the vulnerability allows for address bar spoofing, users may inadvertently provide sensitive information to malicious sites, believing they are interacting with legitimate platforms. This jeopardizes personal data and organizational credentials.

  2. Erosion of User Trust: Address bar spoofing can lead to a decline in trust towards browser security features among users. If individuals lose confidence in the safety of browsing, it could have long-term implications on internet usage behaviors and organizational reputations.

  3. Targeted Exploits by Malicious Actors: Although there has been no reported exploitation in the wild at present, the nature of this vulnerability leaves it ripe for future targeted campaigns. Attackers may leverage this flaw to deploy more sophisticated social engineering tactics or other methods to exploit unsuspecting users.

Affected Version(s)

iOS and iPadOS < 18.7

References

https://support.apple.com/en-us/125633

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.