{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-24102", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-01-17T00:00:44.968Z", "datePublished": "2025-01-27T21:46:03.076Z", "dateUpdated": "2026-04-02T18:16:56.599Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "An app may be able to determine a user\u2019s current location"}]}], "affected": [{"vendor": "Apple", "product": "iPadOS", "versions": [{"version": "0", "status": "affected", "lessThan": "17.7.4", "versionType": "custom"}]}, {"vendor": "Apple", "product": "macOS", "versions": [{"version": "0", "status": "affected", "lessThan": "13.7.3", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "14.7.3", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "15.3", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to determine a user\u2019s current location."}], "references": [{"url": "https://support.apple.com/en-us/122067"}, {"url": "https://support.apple.com/en-us/122068"}, {"url": "https://support.apple.com/en-us/122069"}, {"url": "https://support.apple.com/en-us/122070"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:16:56.599Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-28T14:55:38.415609Z", "id": "CVE-2025-24102", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-19T17:45:44.897Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2025/Jan/17"}, {"url": "http://seclists.org/fulldisclosure/2025/Jan/16"}, {"url": "http://seclists.org/fulldisclosure/2025/Jan/15"}, {"url": "http://seclists.org/fulldisclosure/2025/Jan/14"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:01:15.628Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-24102", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-28T14:55:38.415609Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-28T14:57:12.925Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "macOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "14.7", "versionType": "custom"}]}, {"vendor": "Apple", "product": "macOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "15.3", "versionType": "custom"}]}, {"vendor": "Apple", "product": "iPadOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "17.7", "versionType": "custom"}]}, {"vendor": "Apple", "product": "macOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "13.7", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/122069"}, {"url": "https://support.apple.com/en-us/122068"}, {"url": "https://support.apple.com/en-us/122067"}, {"url": "https://support.apple.com/en-us/122070"}], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to determine a user\u2019s current location."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "An app may be able to determine a user\u2019s current location"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2025-01-27T21:46:03.076Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24102", "state": "PUBLISHED", "dateUpdated": "2025-03-19T17:45:44.897Z", "dateReserved": "2025-01-17T00:00:44.968Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2025-01-27T21:46:03.076Z", "assignerShortName": "apple"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "matchCriteriaId": "27995710-C1F5-4919-8168-E2B59D7F698C", "versionEndExcluding": "17.7.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "916A9F06-E2B9-496C-A99D-F6509192DFE2", "versionEndExcluding": "13.7.3", "versionStartIncluding": "13.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C523C7E-B1CF-454B-8AFD-B462C5120D9E", "versionEndExcluding": "14.7.3", "versionStartIncluding": "14.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "33FE4A81-3E35-4934-ABBB-4531E8E249AF", "versionEndExcluding": "15.3", "versionStartIncluding": "15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. An app may be able to determine a user\u2019s current location."}, {"lang": "es", "value": "El problema se solucion\u00f3 con comprobaciones mejoradas. Este problema se solucion\u00f3 en iPadOS 17.7.4, macOS Sequoia 15.3, macOS Sonoma 14.7.3 y macOS Ventura 13.7.3. Es posible que una aplicaci\u00f3n pueda determinar la ubicaci\u00f3n actual de un usuario."}], "id": "CVE-2025-24102", "lastModified": "2025-11-03T21:19:17.357", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-27T22:15:15.807", "references": [{"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/122067"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/122068"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/122069"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/122070"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/Jan/14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/Jan/15"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/Jan/16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/Jan/17"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T03:59:53.383422+00:00", "value": {"mitigation_remediation": ["Apply the latest Apple software update that includes iPadOS 17.7.4 or later and macOS Sequoia\u202f15.3, Sonoma\u202f14.7.3, and Ventura\u202f13.7.3 or newer.", "Review the location permissions granted to each app in Settings and restrict access to only trusted applications.", "Uninstall or remove applications that request location data unnecessarily and that are not from trusted sources."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Disclosure of Location"}, "threat_synthesis": {"affected_systems": "Apple\u2019s iPadOS and macOS products are affected. The defect is fixed in iPadOS 17.7.4 and in macOS releases Sequoia 15.3, Sonoma 14.7.3, and Ventura 13.7.3. Users running earlier versions of these operating systems remain vulnerable.", "description_and_impact": "The vulnerability arises from inadequate checks within Apple\u2019s operating system, allowing applications to determine a user\u2019s current location without going through the standard permission workflow. This flaw can lead to privacy violations by exposing sensitive location information. The weakness is characterized as CWE\u2011200, which describes information disclosure vulnerabilities.", "risk_and_exploitability": "The CVSS score of 9.8 underscores a high severity issue. The EPSS value of less than 1% suggests that exploitation is currently low probability, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation would typically involve a malicious app installed on the device; such an app could bypass normal location permission checks and read the user\u2019s precise position. Because the weakness is client\u2011side, the attack surface is limited to applications already present on the device."}}}}, "created": "2026-04-28T04:00:05.426754+00:00", "title": "Location Disclosure via Improper Permission Checks", "updated": "2026-04-28T04:00:05.426770+00:00", "vendors": []}