CVE-2025-31184

CVE-2025-31184 is a permissions checking vulnerability (CWE-281) that allows an app to gain unauthorized access to the Local Network. It affects Safari prior to version 18.4, iOS prior to 18.4, iPadOS prior to 18.4, macOS Sequoia prior to 15.4, and visionOS prior to 2.4. The issue was published on 2025-03-31 and carries a CVSS v3.1 base score of 7.8 (High), reflecting local attack vector, low complexity, no privileges required, required user interaction, unchanged scope, and high impacts on confidentiality, integrity, and availability.

A local attacker can exploit this vulnerability by tricking a user into interacting with a malicious app or content, such as through social engineering. No special privileges are needed, enabling the app to bypass intended restrictions and access Local Network resources without authorization. Successful exploitation could allow the attacker to read sensitive network data, modify network communications, or disrupt local services.

Apple security advisories detail the fix as improved permissions checking in the listed versions. Relevant updates are documented in support articles at https://support.apple.com/en-us/122371, https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122378, and https://support.apple.com/en-us/122379, with additional disclosure at http://seclists.org/fulldisclosure/2025/Apr/12. Practitioners should ensure systems are updated to mitigate this issue.