CVE-2025-24259

CVE-2025-24259 is a vulnerability affecting Apple's iPadOS and macOS operating systems, specifically allowing an app to retrieve Safari bookmarks without the required entitlement check. This missing authorization issue, classified under CWE-862, impacts versions prior to iPadOS 17.7.7, macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5. It was published on 2025-03-31 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The vulnerability enables exploitation by an app lacking proper entitlements, with the CVSS vector indicating remote network access (AV:N), low attack complexity (AC:L), no required privileges (PR:N), and no user interaction (UI:N). Successful exploitation could result in high impacts to confidentiality, integrity, and availability, allowing unauthorized access to sensitive Safari bookmark data.

Apple's security advisories state that the issue was addressed through additional entitlement checks. It is fixed in iPadOS 17.7.7, macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5. Mitigation involves updating affected systems to these patched versions, with further details available in the referenced Apple support pages (https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122374, https://support.apple.com/en-us/122375, https://support.apple.com/en-us/122405) and http://seclists.org/fulldisclosure/2025/Apr/10.