{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-31220", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "state": "PUBLISHED", "assignerShortName": "apple", "dateReserved": "2025-03-27T16:13:58.319Z", "datePublished": "2025-05-12T21:43:05.277Z", "dateUpdated": "2026-04-02T18:27:19.082Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "A malicious app may be able to read sensitive location information"}]}], "affected": [{"vendor": "Apple", "product": "iPadOS", "versions": [{"version": "0", "status": "affected", "lessThan": "17.7.7", "versionType": "custom"}]}, {"vendor": "Apple", "product": "macOS", "versions": [{"version": "0", "status": "affected", "lessThan": "13.7.6", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "14.7.6", "versionType": "custom"}, {"version": "0", "status": "affected", "lessThan": "15.5", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "A privacy issue was addressed by removing sensitive data. This issue is fixed in iPadOS 17.7.7, macOS Sequoia 15.5, macOS Sonoma 14.7.6, macOS Ventura 13.7.6. A malicious app may be able to read sensitive location information."}], "references": [{"url": "https://support.apple.com/en-us/122405"}, {"url": "https://support.apple.com/en-us/122716"}, {"url": "https://support.apple.com/en-us/122717"}, {"url": "https://support.apple.com/en-us/122718"}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2026-04-02T18:27:19.082Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-13T15:27:35.984368Z", "id": "CVE-2025-31220", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-13T15:27:40.079Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2025/May/9"}, {"url": "http://seclists.org/fulldisclosure/2025/May/8"}, {"url": "http://seclists.org/fulldisclosure/2025/May/7"}, {"url": "http://seclists.org/fulldisclosure/2025/May/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:49:54.550Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://seclists.org/fulldisclosure/2025/May/9"}, {"url": "http://seclists.org/fulldisclosure/2025/May/8"}, {"url": "http://seclists.org/fulldisclosure/2025/May/7"}, {"url": "http://seclists.org/fulldisclosure/2025/May/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:49:54.550Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-31220", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-13T15:27:35.984368Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-13T15:27:15.788Z"}}], "cna": {"affected": [{"vendor": "Apple", "product": "macOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "15.5", "versionType": "custom"}]}, {"vendor": "Apple", "product": "iPadOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "17.7", "versionType": "custom"}]}, {"vendor": "Apple", "product": "macOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "14.7", "versionType": "custom"}]}, {"vendor": "Apple", "product": "macOS", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "13.7", "versionType": "custom"}]}], "references": [{"url": "https://support.apple.com/en-us/122716"}, {"url": "https://support.apple.com/en-us/122405"}, {"url": "https://support.apple.com/en-us/122717"}, {"url": "https://support.apple.com/en-us/122718"}], "descriptions": [{"lang": "en", "value": "A privacy issue was addressed by removing sensitive data. This issue is fixed in iPadOS 17.7.7, macOS Ventura 13.7.6, macOS Sequoia 15.5, macOS Sonoma 14.7.6. A malicious app may be able to read sensitive location information."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "A malicious app may be able to read sensitive location information"}]}], "providerMetadata": {"orgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "shortName": "apple", "dateUpdated": "2025-05-12T21:43:05.277Z"}}}, "cveMetadata": {"cveId": "CVE-2025-31220", "state": "PUBLISHED", "dateUpdated": "2025-11-03T19:49:54.550Z", "dateReserved": "2025-03-27T16:13:58.319Z", "assignerOrgId": "286789f9-fbc2-4510-9f9a-43facdede74c", "datePublished": "2025-05-12T21:43:05.277Z", "assignerShortName": "apple"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "matchCriteriaId": "683ECAF8-DB29-40DB-963A-B95EA2A2AC01", "versionEndExcluding": "17.7.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "A90AA958-60F3-474C-B351-0F143B498B3E", "versionEndExcluding": "13.7.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "0EE6D3FD-8A49-48CF-80A3-0FFC6BA80B99", "versionEndExcluding": "14.7.6", "versionStartIncluding": "14.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "matchCriteriaId": "C7416C76-07EC-4132-A509-E3F62B002CCA", "versionEndExcluding": "15.5", "versionStartIncluding": "15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A privacy issue was addressed by removing sensitive data. This issue is fixed in iPadOS 17.7.7, macOS Sequoia 15.5, macOS Sonoma 14.7.6, macOS Ventura 13.7.6. A malicious app may be able to read sensitive location information."}, {"lang": "es", "value": "Se solucion\u00f3 un problema de privacidad eliminando datos confidenciales. Este problema est\u00e1 corregido en iPadOS 17.7.7, macOS Ventura 13.7.6, macOS Sequoia 15.5 y macOS Sonoma 14.7.6. Una aplicaci\u00f3n maliciosa podr\u00eda acceder a informaci\u00f3n confidencial de ubicaci\u00f3n."}], "id": "CVE-2025-31220", "lastModified": "2026-04-02T19:19:49.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-05-12T22:15:22.790", "references": [{"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/122405"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/122716"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/122717"}, {"source": "product-security@apple.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.apple.com/en-us/122718"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/May/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/May/7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/May/8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2025/May/9"}], "sourceIdentifier": "product-security@apple.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T11:18:14.513332+00:00", "value": {"mitigation_remediation": ["Update to the latest iPadOS 17.7.7 or newer macOS releases (Sequoia 15.5, Sonoma 14.7.6, Ventura 13.7.6) to receive the vendor fix.", "Restrict or revoke location permissions for applications that do not require them to reduce the risk of accidental data leakage.", "Verify that no unknown or untrusted apps are installed; remove any that may attempt to harvest location data."], "summary": {"action": "Patch Update", "impact": "Privacy Violation: Location Data Exposure"}, "threat_synthesis": {"affected_systems": "Apple products affected include iPadOS and macOS. The issue is fixed in iPadOS 17.7.7, macOS Sequoia 15.5, macOS Sonoma 14.7.6, and macOS Ventura 13.7.6. Earlier releases lacking these updates are susceptible.", "description_and_impact": "The vulnerability permits a malicious application to read sensitive location data that was previously protected. This constitutes a privacy violation, allowing an attacker to obtain personal geographic information without user consent. The weakness is categorized as CWE\u2011200, a confidentiality vulnerability.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in CISA's KEV catalog. The attack is likely local, involving a malicious app that can read location information, as the description states an app may be able to do so."}}}}, "created": "2026-04-28T11:30:29.829650+00:00", "title": "Sensitive Location Data Exposure via Malicious App", "updated": "2026-04-28T11:30:29.829661+00:00", "vendors": []}