CVE-2025-24213
Published: 31 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-24213 is a type confusion vulnerability (CWE-843) stemming from improper handling of floats, which could lead to memory corruption. The issue affects multiple Apple platforms and components, including Safari prior to version 18.5, iOS prior to 18.5, iPadOS prior to 18.5 and 17.7.7, macOS Sequoia prior to 15.5, tvOS prior to 18.5, visionOS prior to 2.5, and watchOS prior to 11.5.
The vulnerability has a CVSS v3.1 base score of 7.8 (High), with local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and required user interaction (UI:R). A local attacker could exploit it to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling arbitrary code execution through memory corruption upon successful type confusion.
Apple addressed the issue through improved float handling in the listed fixed versions. Official advisories detailing the patches are available at https://support.apple.com/en-us/122404, https://support.apple.com/en-us/122405, https://support.apple.com/en-us/122716, https://support.apple.com/en-us/122719, and https://support.apple.com/en-us/122720. Security practitioners should prioritize updating affected devices to mitigate exposure.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a client-side type confusion vulnerability in Safari and other Apple components leading to memory corruption and arbitrary code execution with local attack vector and user interaction required, directly enabling T1203 Exploitation for Client Execution.