{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-24143", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-01-17T00:00:44.975Z", "datePublished": "2025-01-27T21:46:05.639Z", "dateUpdated": "2026-04-02T18:17:16.826Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "A maliciously crafted webpage may be able to fingerprint the user"}]}], "affected": [{"vendor": "Apple", "product": "Safari", "versions": [{"version": "0", "status": "affected", "lessThan": "18.3", "versionType": "custom"}]}, {"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"version": "0", "status": "affected", "lessThan": "18.3", "versionType": "custom"}]}, {"vendor": "Apple", "product": "macOS", "versions": [{"version": "0", "status": "affected", "lessThan": "15.3", "versionType": "custom"}]}, {"vendor": "Apple", "product": "visionOS", "versions": [{"version": "0", "status": "affected", "lessThan": "2.3", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved access restrictions to the file system. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, visionOS 2.3. A maliciously crafted webpage may be able to fingerprint the user."}], "references": [{"url": "https://support.apple.com/en-us/122066"}, {"url": "https://support.apple.com/en-us/122068"}, {"url": "https://support.apple.com/en-us/122073"}, {"url": "https://support.apple.com/en-us/122074"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:17:16.826Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-862", "lang": "en", "description": "CWE-862 Missing Authorization"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-01-28T19:38:50.531676Z", "id": "CVE-2025-24143", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-04T21:19:10.129Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00014.html"}, {"url": "http://seclists.org/fulldisclosure/2025/Jan/20"}, {"url": "http://seclists.org/fulldisclosure/2025/Jan/15"}, {"url": "http://seclists.org/fulldisclosure/2025/Jan/13"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:03:50.424Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00014.html"}, {"url": "http://seclists.org/fulldisclosure/2025/Jan/20"}, {"url": "http://seclists.org/fulldisclosure/2025/Jan/15"}, {"url": "http://seclists.org/fulldisclosure/2025/Jan/13"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:03:50.424Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-24143", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-28T19:38:50.531676Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-28T19:38:44.528Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "visionOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "2.3", "versionType": "custom"}]}, {"vendor": "Apple", "product": "macOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "15.3", "versionType": "custom"}]}, {"vendor": "Apple", "product": "Safari", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "18.3", "versionType": "custom"}]}, {"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "18.3", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/122073"}, {"url": "https://support.apple.com/en-us/122068"}, {"url": "https://support.apple.com/en-us/122074"}, {"url": "https://support.apple.com/en-us/122066"}], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved access restrictions to the file system. This issue is fixed in macOS Sequoia 15.3, Safari 18.3, iOS 18.3 and iPadOS 18.3, visionOS 2.3. A maliciously crafted webpage may be able to fingerprint the user."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "A maliciously crafted webpage may be able to fingerprint the user"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2025-01-27T21:46:05.639Z"}}}, "cveMetadata": {"cveId": "CVE-2025-24143", "state": "PUBLISHED", "dateUpdated": "2025-11-03T21:03:50.424Z", "dateReserved": "2025-01-17T00:00:44.975Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2025-01-27T21:46:05.639Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "matchCriteriaId": "0384B3A1-9447-4020-A798-38CB2348F67B", "versionEndExcluding": "18.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B7F80FC-EB0A-4B78-8CB7-18E5F162CD6A", "versionEndExcluding": "18.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "38BA63B3-CC2C-4E63-AE2C-B8DB08B5E89B", "versionEndExcluding": "15.3", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*", "matchCriteriaId": "F91BF3D5-D8E5-437C-8301-C9F22AAFB8BD", "versionEndExcluding": "2.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved access restrictions to the file system. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, visionOS 2.3. A maliciously crafted webpage may be able to fingerprint the user."}, {"lang": "es", "value": "El problema se solucion\u00f3 mejorando las restricciones de acceso al archivo sistema. Este problema se solucion\u00f3 en macOS Sequoia 15.3, Safari 18.3, iOS 18.3 y iPadOS 18.3, visionOS 2.3. Una p\u00e1gina web malintencionada manipulado puede tomar la huella digital del usuario."}], "id": "CVE-2025-24143", "lastModified": "2026-04-02T19:19:06.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-01-27T22:15:18.893", "references": [{"source": "product-security@apple.com", "tags": ["Release Notes"], "url": "https://support.apple.com/en-us/122066"}, {"source": "product-security@apple.com", "tags": ["Release Notes"], "url": "https://support.apple.com/en-us/122068"}, {"source": "product-security@apple.com", "tags": ["Release Notes"], "url": "https://support.apple.com/en-us/122073"}, {"source": "product-security@apple.com", "tags": ["Release Notes"], "url": "https://support.apple.com/en-us/122074"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/Jan/13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/Jan/15"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/Jan/20"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/02/msg00014.html"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:10364", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "webkitgtk4-0:2.48.3-2.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2025-07-07T00:00:00Z"}, {"advisory": "RHSA-2025:2034", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "webkit2gtk3-0:2.46.6-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-03-03T00:00:00Z"}], "bugzilla": {"description": "webkitgtk: A maliciously crafted webpage may be able to fingerprint the user", "id": "2344621", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2344621"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-862", "details": ["The issue was addressed with improved access restrictions to the file system. This issue is fixed in macOS Sequoia 15.3, Safari 18.3, iOS 18.3 and iPadOS 18.3, visionOS 2.3. A maliciously crafted webpage may be able to fingerprint the user.", "A flaw was found in WebKitGTK. A maliciously crafted web page may be able to fingerprint the user due to improper access restrictions to the file system."], "mitigation": {"lang": "en:us", "value": "Do not visit untrusted web pages or load untrusted web content with WebKitGTK."}, "name": "CVE-2025-24143", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "webkitgtk", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "webkitgtk3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "webkit2gtk3", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-01-27T21:46:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-24143\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-24143\nhttps://support.apple.com/en-us/122066\nhttps://support.apple.com/en-us/122068\nhttps://support.apple.com/en-us/122073\nhttps://support.apple.com/en-us/122074"], "statement": "To exploit this flaw, an attacker needs to trick a user into visiting a maliciously crafted web page.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-28T12:10:00.816711+00:00", "value": {"mitigation_remediation": ["Update Safari to 18.3 or later, and update iOS, iPadOS, macOS Sequoia, and visionOS to the latest releases that include the file\u2011system access restriction fix; this is the official solution from Apple.", "Until the update is applied, users should avoid browsing untrusted or suspicious websites that may contain fingerprinting payloads.", "If an immediate update is not possible, consider disabling or uninstalling browser extensions that can access local files, as they could amplify the fingerprinting capability."], "summary": {"action": "Apply Patch", "impact": "User fingerprinting via webpage"}, "threat_synthesis": {"affected_systems": "Apple\u2019s web browser ecosystem\u2014including Safari, iOS, iPadOS, macOS Sequoia, and visionOS\u2014is affected. The vulnerability is fixed in Safari 18.3, iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, and visionOS 2.3. Based on the description, it is inferred that any version prior to these may remain vulnerable.", "description_and_impact": "A maliciously crafted webpage can read parts of the file system that should be inaccessible to a regular web page, allowing the browser to identify unique characteristics of the user\u2019s environment. The flaw is a weakness in access control, classified under CWE\u2011862. The impact is primarily privacy\u2011related, potentially enabling an attacker to profile or identify the victim by revealing system configuration details.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, and an EPSS score of less than 1% shows low current exploitation likelihood. It is not listed in the CISA KEV catalog. The likely attack vector is a user visiting a maliciously crafted webpage in the browser, without needing elevated privileges or additional network access. No remote code execution or privilege escalation is reported."}}}}, "created": "2026-04-28T12:15:30.891521+00:00", "updated": "2026-04-28T12:15:30.891531+00:00", "vendors": []}