CVE-2025-24201

Apple Multiple Products WebKit Out-of-Bounds Write Vulnerability

Severity Score

7.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

An out-of-bounds write issue was addressed with improved checks to prevent unauthorized actions. This issue is fixed in visionOS 2.3.2, iOS 18.3.2 and iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.1. Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2. (Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.).

Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

Apple iOS, iPadOS, macOS, and other Apple products contain an out-of-bounds write vulnerability in WebKit that may allow maliciously crafted web content to break out of Web Content sandbox. This vulnerability could impact HTML parsers that use WebKit, including but not limited to Apple Safari and non-Apple products which rely on WebKit for HTML processing.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2025-01-17 CVE Reserved
2025-03-11 CVE Published
2025-03-13 Exploited in Wild
2025-03-14 CVE Updated
2025-03-14 EPSS Updated
2025-04-03 KEV Due Date
---------- First Exploit

CWE

CWE-787: Out-of-bounds Write

CAPEC

References (4)

URL	Tag	Source
https://support.apple.com/en-us/122281
https://support.apple.com/en-us/122283
https://support.apple.com/en-us/122284
https://support.apple.com/en-us/122285

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apple Search vendor "Apple"		Ios Search vendor "Apple" for product "Ios"				*		-		Affected
Apple Search vendor "Apple"		Macos Search vendor "Apple" for product "Macos"				*		-		Affected
Apple Search vendor "Apple"		Safari Search vendor "Apple" for product "Safari"				*		-		Affected
Apple Search vendor "Apple"		Visionos Search vendor "Apple" for product "Visionos"				*		-		Affected