{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-30434", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-03-22T00:04:43.717Z", "datePublished": "2025-03-31T22:23:06.874Z", "dateUpdated": "2026-04-02T18:14:55.383Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "Processing a maliciously crafted file may lead to a cross site scripting attack"}]}], "affected": [{"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"version": "0", "status": "affected", "lessThan": "18.4", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved input sanitization. This issue is fixed in iOS 18.4 and iPadOS 18.4. Processing a maliciously crafted file may lead to a cross site scripting attack."}], "references": [{"url": "https://support.apple.com/en-us/122371"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:14:55.383Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-01T14:14:00.655778Z", "id": "CVE-2025-30434", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-01T14:15:23.497Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2025/Apr/4"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:14:30.322Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-30434", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-01T14:14:00.655778Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-01T14:15:18.315Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "iOS and iPadOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "18.4", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/122371"}], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved input sanitization. This issue is fixed in iOS 18.4 and iPadOS 18.4. Processing a maliciously crafted file may lead to a cross site scripting attack."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Processing a maliciously crafted file may lead to a cross site scripting attack"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2025-03-31T22:23:06.874Z"}}}, "cveMetadata": {"cveId": "CVE-2025-30434", "state": "PUBLISHED", "dateUpdated": "2025-04-01T14:15:23.497Z", "dateReserved": "2025-03-22T00:04:43.717Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2025-03-31T22:23:06.874Z", "assignerShortName": "apple"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B3450F7-7B4A-46CE-A6E0-BBE6569F2EBF", "versionEndExcluding": "18.4", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "matchCriteriaId": "0D9C73F9-FEF4-4FC1-B83D-56566AD35990", "versionEndExcluding": "18.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The issue was addressed with improved input sanitization. This issue is fixed in iOS 18.4 and iPadOS 18.4. Processing a maliciously crafted file may lead to a cross site scripting attack."}, {"lang": "es", "value": "El problema se solucion\u00f3 mejorando la depuraci\u00f3n de entrada. Este problema est\u00e1 corregido en iOS 18.4 y iPadOS 18.4. Procesar un archivo malintencionado puede provocar un ataque de cross site scripting."}], "id": "CVE-2025-30434", "lastModified": "2025-11-03T22:18:45.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-03-31T23:15:25.600", "references": [{"source": "product-security@apple.com", "tags": ["Vendor Advisory"], "url": "https://support.apple.com/en-us/122371"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/Apr/4"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T03:00:48.319600+00:00", "value": {"mitigation_remediation": ["Upgrade the device to iOS\u00a018.4 or iPadOS\u00a018.4, which includes the improved input sanitization fixes. ", "Ensure that any third\u2011party apps that handle file content are also updated, as older app libraries may re\u2011expose the flaw. ", "Restrict the acceptance of unknown or untrusted files on the device, for example by disabling automatic downloads from email attachments or by using application\u2011level file\u2011type checks."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Apple iOS and iPadOS are affected. The vulnerability exists in all iOS versions prior to 18.4 and in all iPadOS versions prior to 18.4. The security fix is included in iOS 18.4 and iPadOS 18.4 and is not available in earlier releases.", "description_and_impact": "A maliciously crafted file can be processed by the operating system and trigger the execution of arbitrary JavaScript, leading to a cross\u2011site scripting attack. The flaw stems from insufficient input sanitization during file handling, allowing attacker\u2011supplied content to be executed in a browser context.", "risk_and_exploitability": "The CVSS score of 5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA KEV. The likely attack vector is execution of a malicious file that the user opens or that is transferred to the device through an application, email attachment, or file sharing service. Exploitation requires local file access, but once a file is processed the JavaScript can run with the privileges of the device\u2019s web view."}}}}, "created": "2026-04-28T03:15:05.539720+00:00", "title": "Cross\u2011Site Scripting via Malicious File Processing in iOS\u00a018 and iPadOS\u00a018", "updated": "2026-04-28T03:15:05.539750+00:00", "vendors": []}