CVE-2025-24208: Buffer Overflow
First published: Mon Mar 31 2025(Updated: )
A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4. Loading a malicious iframe may lead to a cross-site scripting attack.
Credit: Zhongcheng Li IES Red Team of ByteDanceLehan Dilusha Sri Lanka @zorrosign an anonymous researcher Ron Masas BREAKPOINTHossein Lotfi @hosselot Trend Micro Zero Day InitiativeDominik Rath Martin Kreichgauer Google ChromeYutong Xiu Denis Tokarev @illusionofcha0s Google Threat Analysis Group pattern-f @pattern_F_ Jonathan Bar Or @yo_yo_yo_jbo MicrosoftCVE-2024-9681 Gergely Kalman @gergely_kalman Andr.Ess Kirin @Pwnrin LFY @secsys Fudan Universitymzzzz__ Anonymous Trend Micro Zero Day InitiativeWang Yu CyberservalMuhammad Zaid Ghifari (Mr.ZheeV) Kalimantan Utara Michael (Biscuit) Thomas - @social.lol @biscuit CVE-2024-48958 CVE-2025-27113 CVE-2024-56171 Alex Radocea SupernetworksDave G. Supernetworks风沐云烟 @binary_fmyy Minghao Lin @Y1nKoc Florian Draschbacher Jimmy Jax Reissner Dalibor Milanovic Mickey Jin @patch1t @RenwaX23 Jaydev Ahire Syarif Muhammad Sajjad Bing Shi Alibaba GroupWenchao Li Alibaba GroupXiaolong Bai Alibaba GroupLuyi Xing Indiana University BloomingtonHalle Winkler Politepix theoffcuts.org Andrew James Gonzalez Bohdan Stasiuk @bohdan_stasiuk YingQi Shi @Mas0nShi DBAppSecurity's WeBin labRichard Hyunho Im with routezero.security @richeeta Alexander Heinrich @Sn0wfreeze SEEMOO TU Darmstadt & Mathy Vanhoef @vanhoefm Jeroen Robben @RobbenJeroen DistriNet KU Leuven Vsevolod Kokorin (Slonser) SolidlabGary Kwong Paul Bakker ParagonERPGoogle V8 Security Team Francisco Alonso @revskills rheza @ginggilBesel product-security@apple.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apple iOS and iPadOS | <18.4 | 18.4 |
| Apple iOS, iPadOS, and macOS | <18.4 | 18.4 |
| Safari | <18.4 | 18.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://support.apple.com/en-us/122371 (Advisory)
- https://support.apple.com/en-us/122379 (Advisory)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2025-24202
- CVE-2025-24221
- CVE-2025-24097
- CVE-2025-24244
- CVE-2025-24243
- CVE-2025-30430
- CVE-2025-24180
- CVE-2025-24237
- CVE-2025-30429
- CVE-2025-24212
- CVE-2025-24163
- CVE-2025-24230
- CVE-2025-24211
- CVE-2025-24190
- CVE-2025-30454
- CVE-2025-31191
- CVE-2025-24182
- CVE-2024-9681
- CVE-2025-30456
- CVE-2025-30439
- CVE-2025-24283
- CVE-2025-30447
- CVE-2025-30463
- CVE-2025-24210
- CVE-2025-24257
- CVE-2025-30434
- CVE-2025-30432
- CVE-2024-48958
- CVE-2025-24194
- CVE-2025-27113
- CVE-2024-56171
- CVE-2025-24178
- CVE-2025-31182
- CVE-2025-24238
- CVE-2025-30470
- CVE-2025-24193
- CVE-2025-30426
- CVE-2025-30428
- CVE-2025-30469
- CVE-2025-24173
- CVE-2025-24095
- CVE-2025-24113
- CVE-2025-30467
- CVE-2025-31192
- CVE-2025-24167
- CVE-2025-30471
- CVE-2025-30438
- CVE-2025-30433
- CVE-2025-31183
- CVE-2025-24217
- CVE-2025-24214
- CVE-2025-24205
- CVE-2025-24198
- CVE-2025-31184
- CVE-2025-24192
- CVE-2025-24264
- CVE-2025-24216
- CVE-2025-24213
- CVE-2025-24209
- CVE-2025-24208
- CVE-2025-30427
- CVE-2025-30425
Frequently Asked Questions
What is the severity of CVE-2025-24208?
CVE-2025-24208 has been categorized as a medium severity vulnerability.
How do I fix CVE-2025-24208?
To fix CVE-2025-24208, upgrade to Safari 18.4, iOS 18.4, or iPadOS 18.4.
What type of vulnerability is CVE-2025-24208?
CVE-2025-24208 is a permissions issue that could lead to a cross-site scripting attack.
Which versions are affected by CVE-2025-24208?
CVE-2025-24208 affects versions earlier than Safari 18.4, iOS 18.4, and iPadOS 18.4.
Can CVE-2025-24208 be exploited remotely?
Yes, CVE-2025-24208 can be exploited remotely through a malicious iframe.
- agent/first-publish-date
- collector/apple-support
- source/Apple
- alias/CVE-2025-24221
- alias/CVE-2025-24097
- alias/CVE-2025-24244
- alias/CVE-2025-24243
- alias/CVE-2025-30430
- alias/CVE-2025-24180
- alias/CVE-2025-24237
- alias/CVE-2025-30429
- alias/CVE-2025-24212
- alias/CVE-2025-24163
- alias/CVE-2025-24230
- alias/CVE-2025-24211
- alias/CVE-2025-24190
- alias/CVE-2025-30454
- alias/CVE-2025-31191
- alias/CVE-2025-24182
- alias/CVE-2024-9681
- alias/CVE-2025-30456
- alias/CVE-2025-30439
- alias/CVE-2025-24283
- alias/CVE-2025-30447
- alias/CVE-2025-30463
- alias/CVE-2025-24210
- alias/CVE-2025-24257
- alias/CVE-2025-30434
- alias/CVE-2025-30432
- alias/CVE-2024-48958
- alias/CVE-2025-24194
- alias/CVE-2025-27113
- alias/CVE-2024-56171
- alias/CVE-2025-24178
- alias/CVE-2025-31182
- alias/CVE-2025-24238
- alias/CVE-2025-30470
- alias/CVE-2025-24193
- alias/CVE-2025-30426
- alias/CVE-2025-30428
- alias/CVE-2025-30469
- alias/CVE-2025-24173
- alias/CVE-2025-24095
- alias/CVE-2025-24113
- alias/CVE-2025-30467
- alias/CVE-2025-31192
- alias/CVE-2025-24167
- alias/CVE-2025-30471
- alias/CVE-2025-30438
- alias/CVE-2025-30433
- alias/CVE-2025-31183
- alias/CVE-2025-24217
- alias/CVE-2025-24214
- alias/CVE-2025-24205
- alias/CVE-2025-24198
- alias/CVE-2025-31184
- alias/CVE-2025-24192
- alias/CVE-2025-24264
- alias/CVE-2025-24216
- alias/CVE-2025-24213
- alias/CVE-2025-24209
- alias/CVE-2025-24208
- alias/CVE-2025-30427
- alias/CVE-2025-30425
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/type
- agent/description
- agent/softwarecombine
- agent/author
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/event
- vendor/apple
- canonical/apple ios and ipados
- canonical/apple ios, ipados, and macos
- canonical/safari