CVE-2025-24201
Published: 11 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-24201 is an out-of-bounds write vulnerability (CWE-787) that was addressed through improved bounds checks to prevent unauthorized actions. It affects the Web Content sandbox in Safari and multiple Apple platforms, including iOS versions prior to 15.8.4, 16.7.11, and 18.3.2; iPadOS versions prior to 15.8.4, 16.7.11, 17.7.6, and 18.3.2; macOS Sequoia prior to 15.3.2; visionOS prior to 2.3.2; and watchOS prior to 11.4. Maliciously crafted web content may exploit the issue to break out of the Web Content sandbox.
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges or user interaction (CVSS:3.1 score of 10.0; AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Successful exploitation enables breakout from the sandbox, potentially granting high-impact access to confidentiality, integrity, and availability on the affected device.
Apple security advisories detail patches in the listed versions, including Safari 18.3.1 and corresponding OS updates, available via https://support.apple.com/en-us/122281, https://support.apple.com/en-us/122283, https://support.apple.com/en-us/122284, https://support.apple.com/en-us/122285, and https://support.apple.com/en-us/122345. Security practitioners should prioritize updating affected devices.
This issue serves as a supplementary fix for an attack blocked in iOS 17.2. Apple is aware of a report that it may have been exploited in an extremely sophisticated attack targeting specific individuals on iOS versions prior to 17.2.
Details
- CWE(s)
- KEV Date Added
- 13 March 2025
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Out-of-bounds write in Safari Web Content sandbox allows malicious web content to escape sandbox with no user interaction, directly enabling drive-by compromise via crafted web content and exploitation for client execution.