CVE-2025-24201: Apple Multiple Products WebKit Out-of-Bounds Write Vulnerability
First published: Wed Mar 05 2025(Updated: )
<p>This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see <a href="https://chromereleases.googleblog.com/2024">Google Chrome Releases</a> for more information.</p> <p>Google is aware of reports that an exploit for CVE-2025-24201 exists in the wild.</p>
Credit: Apple product-security@apple.com Apple Security Engineering Architecture (SEAR)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| visionOS | <2.3.2 | 2.3.2 |
| macOS | <15.3.2 | 15.3.2 |
| Microsoft Edge Beta | <134.0.3124.62 | |
| Apple Multiple Products | ||
| Google Chrome | <134.0.6998.88 | 134.0.6998.88 |
| Safari | <18.3.1 | 18.3.1 |
| Microsoft Edge | ||
| visionOS | <2.3.2 | |
| Apple iOS and iPadOS | <17.2 | |
| Apple iOS, iPadOS, and macOS | <17.2 | |
| macOS | <15.3.2 | |
| Apple iOS and iPadOS | <18.3.2 | 18.3.2 |
| Apple iOS, iPadOS, and macOS | <18.3.2 | 18.3.2 |
| Safari | <18.3.1 | |
| Apple iOS, iPadOS, and macOS | <18.3.2 | |
| iPhone OS | <18.3.2 | |
| macOS | <15.3.2 | |
| visionOS | <2.3.2 | |
| debian/chromium | <=134.0.6998.35-1~deb12u1 | 134.0.6998.117-1~deb12u1 |
| debian/webkit2gtk | <=2.44.2-1~deb11u1<=2.46.6-1~deb11u1<=2.46.6-1~deb12u1 | 2.48.0-1~deb12u1 2.48.0-1 |
| debian/wpewebkit | <=2.38.6-1~deb11u1<=2.38.6-1 | 2.48.0-1 |
Remedy
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://support.apple.com/en-us/122284 (Advisory)
- https://support.apple.com/en-us/122283 (Advisory)
- https://www.theregister.com/2025/03/12/patch_tuesday/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24201 (Advisory)
- https://support.apple.com/en-us/122281 (Advisory)
- https://support.apple.com/en-us/122285 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2025-24201
- https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html (Advisory)
- https://access.redhat.com/errata/RHSA-2025:2863
- https://access.redhat.com/errata/RHSA-2025:2864
- https://access.redhat.com/errata/RHSA-2025:2997
- https://access.redhat.com/errata/RHSA-2025:2998
- https://access.redhat.com/errata/RHSA-2025:3000
- https://access.redhat.com/errata/RHSA-2025:3001
- https://access.redhat.com/errata/RHSA-2025:3002
- https://access.redhat.com/errata/RHSA-2025:3005
- https://access.redhat.com/errata/RHSA-2025:3034
- https://bugzilla.redhat.com/show_bug.cgi?id=2351802
- http://seclists.org/fulldisclosure/2025/Mar/2
- http://seclists.org/fulldisclosure/2025/Mar/3
- http://seclists.org/fulldisclosure/2025/Mar/4
- http://seclists.org/fulldisclosure/2025/Mar/5
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24201
- https://launchpad.net/bugs/cve/CVE-2025-24201
- https://security-tracker.debian.org/tracker/CVE-2025-24201
- https://ubuntu.com/security/CVE-2025-24201
- https://webkitgtk.org/security/WSA-2025-0002.html
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2025-24201?
CVE-2025-24201 is considered a critical vulnerability due to its potential to allow unauthorized actions through an out-of-bounds write issue.
How do I fix CVE-2025-24201?
To mitigate CVE-2025-24201, upgrade to visionOS 2.3.2, iOS 18.3.2, iPadOS 18.3.2, or macOS Sequoia 15.3.2.
What software versions are affected by CVE-2025-24201?
CVE-2025-24201 affects versions of visionOS prior to 2.3.2, iOS prior to 18.3.2, iPadOS prior to 18.3.2, and macOS Sequoia prior to 15.3.2.
What type of attack can exploit CVE-2025-24201?
CVE-2025-24201 can be exploited through maliciously crafted web content allowing it to escape the Web Content sandbox.
Which Apple product requires an update to address CVE-2025-24201?
Apple products including visionOS, iOS, iPadOS, macOS Sequoia, and Safari require an update to address CVE-2025-24201.
- agent/type
- collector/apple-support
- source/Apple
- agent/software-canonical-lookup
- collector/the-register
- source/The Register
- alias/CVE-2025-24993
- alias/CVE-2025-24991
- alias/CVE-2025-24984
- alias/CVE-2025-24985
- alias/CVE-2025-24983
- alias/CVE-2025-26633
- alias/CVE-2025-24035
- alias/CVE-2025-24045
- alias/CVE-2025-26645
- alias/CVE-2025-24057
- alias/CVE-2025-24064
- alias/CVE-2025-24084
- alias/CVE-2025-26630
- alias/CVE-2025-24201
- alias/CVE-2024-50302
- alias/CVE-2024-43093
- agent/news-ai
- zeroday/true
- exploited/true
- collector/msrc
- source/Microsoft
- collector/msrc-cve
- agent/weakness
- collector/cisa-known-exploited
- source/CISA
- agent/remedy
- agent/title
- collector/chrome-releases
- agent/author
- agent/first-publish-date
- agent/severity
- agent/last-modified-date
- agent/trending
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- agent/software-canonical-lookup-request
- agent/guess-ai
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/source
- agent/tags
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- vendor/apple
- canonical/visionos
- canonical/macos
- vendor/microsoft
- canonical/microsoft edge beta
- canonical/apple multiple products
- vendor/google
- canonical/google chrome
- canonical/safari
- canonical/microsoft edge
- canonical/apple ios and ipados
- canonical/apple ios, ipados, and macos
- canonical/iphone os
- package-manager/debian