CVE-2025-24167

CVE-2025-24167 is a high-severity vulnerability in Apple's ecosystem where a download's origin may be incorrectly associated, potentially leading to security bypasses. The issue affects Safari prior to version 18.4, iOS prior to 18.4, iPadOS prior to 18.4, macOS Sequoia prior to 15.4, and watchOS prior to 11.4. It was published on 2025-03-31 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its network accessibility, low attack complexity, and lack of prerequisites.

A remote attacker with no privileges or user interaction can exploit this vulnerability over the network. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, stemming from the flawed origin association during downloads, which might enable actions like cross-origin resource manipulation or unauthorized data handling.

Apple's security advisories detail that the vulnerability was addressed through improved state management. It is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, and watchOS 11.4. Practitioners should prioritize updating affected devices; relevant advisories are available at https://support.apple.com/en-us/122371, https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122376, https://support.apple.com/en-us/122379, and http://seclists.org/fulldisclosure/2025/Apr/13.