CVE-2025-24180

CVE-2025-24180 is a vulnerability in the WebAuthn implementation that allows a malicious website to claim credentials registered to another website sharing a registrable suffix, due to insufficient input validation. The issue affects Apple's Safari browser and operating systems including iOS 18.4 and earlier, iPadOS 18.4 and earlier, macOS Sequoia 15.4 and earlier, visionOS 2.4 and earlier, and watchOS 11.4 and earlier. It is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and is associated with CWE-601 (URL Redirection to Untrusted Site).

An attacker can exploit this vulnerability by hosting a malicious website that tricks a user into interacting with it, such as during WebAuthn registration or authentication. No special privileges are required, but user interaction is necessary, typically via visiting the site and approving a credential operation. Successful exploitation enables the attacker to access high-integrity WebAuthn credentials (like FIDO2 passkeys) from a legitimate site with a shared domain suffix, potentially compromising user authentication on that site without impacting availability.

Apple security advisories confirm the vulnerability was addressed through improved input validation in Safari 18.4, iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, and watchOS 11.4. Users are advised to update to these versions promptly, as detailed in the referenced support pages (https://support.apple.com/en-us/122371, https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122376, https://support.apple.com/en-us/122378, https://support.apple.com/en-us/122379).