The issue was addressed with improved input validation. This issue is fixed in Safari 18.4, visionOS 2.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A malicious website may be able to claim WebAuthn credentials from another website that shares a registrable suffix.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00109.

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Apple Subscribe
Ipados Subscribe
Iphone Os Subscribe
Macos Subscribe
Safari Subscribe
Visionos Subscribe

Configuration 1 [-]

OR cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*

No data.

No data.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9009 The issue was addressed with improved input validation. This issue is fixed in Safari 18.4, visionOS 2.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A malicious website may be able to claim WebAuthn credentials from another website that shares a registrable suffix.
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://seclists.org/fulldisclosure/2025/Apr/12 cve-icon
http://seclists.org/fulldisclosure/2025/Apr/13 cve-icon
http://seclists.org/fulldisclosure/2025/Apr/2 cve-icon
http://seclists.org/fulldisclosure/2025/Apr/4 cve-icon
http://seclists.org/fulldisclosure/2025/Apr/8 cve-icon
https://support.apple.com/en-us/122371 cve-icon cve-icon
https://support.apple.com/en-us/122373 cve-icon cve-icon
https://support.apple.com/en-us/122378 cve-icon cve-icon
https://support.apple.com/en-us/122379 cve-icon cve-icon
History

Tue, 04 Nov 2025 06:30:00 +0900

Type Values Removed Values Added
References

Tue, 04 Nov 2025 05:30:00 +0900

Type Values Removed Values Added
References

Tue, 08 Apr 2025 03:45:00 +0900

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Apple visionos
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Apple visionos

Tue, 01 Apr 2025 23:15:00 +0900

Type Values Removed Values Added
Weaknesses CWE-601
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 07:45:00 +0900

Type Values Removed Values Added
Description The issue was addressed with improved input validation. This issue is fixed in Safari 18.4, visionOS 2.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A malicious website may be able to claim WebAuthn credentials from another website that shares a registrable suffix.
References

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2025-11-03T21:06:38.979Z

Reserved: 2025-01-17T00:00:44.993Z

Link: CVE-2025-24180

cve-icon Vulnrichment

Updated: 2025-11-03T21:06:38.979Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:17.083

Modified: 2025-11-03T21:19:31.297

Link: CVE-2025-24180

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses