CVE-2025-24150
Published: 27 January 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2025-24150 is a command injection vulnerability (CWE-77) stemming from inadequate handling of files, specifically where copying a URL from Web Inspector can trigger command injection. The issue affects Safari versions prior to 18.3, iOS prior to 18.3, iPadOS prior to 18.3, and macOS Sequoia prior to 15.3. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
A remote attacker without privileges can exploit this vulnerability by tricking a target user into copying a maliciously crafted URL from Web Inspector, which requires user interaction. Successful exploitation enables command injection, potentially granting the attacker high-impact access to compromise confidentiality, integrity, and availability on the affected system.
Apple advisories confirm the issue was fixed with improved file handling in Safari 18.3, iOS 18.3, iPadOS 18.3, and macOS Sequoia 15.3. Mitigation involves updating to these patched versions, as detailed in support documents at https://support.apple.com/en-us/122066, https://support.apple.com/en-us/122068, and https://support.apple.com/en-us/122074, along with full disclosure postings at http://seclists.org/fulldisclosure/2025/Jan/13 and http://seclists.org/fulldisclosure/2025/Jan/15.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection vulnerability in Safari (client application) directly enables exploitation for client execution (T1203) and arbitrary command execution via Unix shell (T1059.004) on affected Apple platforms.