medium
6.1
CWE
119 20 79
Advisory Published
CVE Published
Updated

CVE-2025-24208: Buffer Overflow

First published: Mon Mar 31 2025(Updated: )

A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4. Loading a malicious iframe may lead to a cross-site scripting attack.

Credit: Zhongcheng Li IES Red Team of ByteDanceLehan Dilusha Sri Lanka @zorrosign an anonymous researcher Ron Masas BREAKPOINTHossein Lotfi @hosselot Trend Micro Zero Day InitiativeDominik Rath Martin Kreichgauer Google ChromeYutong Xiu Denis Tokarev @illusionofcha0s Google Threat Analysis Group pattern-f @pattern_F_ Jonathan Bar Or @yo_yo_yo_jbo MicrosoftCVE-2024-9681 Gergely Kalman @gergely_kalman Andr.Ess Kirin @Pwnrin LFY @secsys Fudan Universitymzzzz__ Anonymous Trend Micro Zero Day InitiativeWang Yu CyberservalMuhammad Zaid Ghifari (Mr.ZheeV) Kalimantan Utara Michael (Biscuit) Thomas - @social.lol @biscuit CVE-2024-48958 CVE-2025-27113 CVE-2024-56171 Alex Radocea SupernetworksDave G. Supernetworks风沐云烟 @binary_fmyy Minghao Lin @Y1nKoc Florian Draschbacher Jimmy Jax Reissner Dalibor Milanovic Mickey Jin @patch1t @RenwaX23 Jaydev Ahire Syarif Muhammad Sajjad Bing Shi Alibaba GroupWenchao Li Alibaba GroupXiaolong Bai Alibaba GroupLuyi Xing Indiana University BloomingtonHalle Winkler Politepix theoffcuts.org Andrew James Gonzalez Bohdan Stasiuk @bohdan_stasiuk YingQi Shi @Mas0nShi DBAppSecurity's WeBin labRichard Hyunho Im with routezero.security @richeeta Alexander Heinrich @Sn0wfreeze SEEMOO TU Darmstadt & Mathy Vanhoef @vanhoefm Jeroen Robben @RobbenJeroen DistriNet KU Leuven Vsevolod Kokorin (Slonser) SolidlabGary Kwong Paul Bakker ParagonERPGoogle V8 Security Team Francisco Alonso @revskills rheza @ginggilBesel product-security@apple.com

Affected SoftwareAffected VersionHow to fix
Apple iOS and iPadOS<18.4
18.4
Apple iOS, iPadOS, and macOS<18.4
18.4
Safari<18.4
18.4
Safari<18.4
Apple iOS, iPadOS, and macOS<18.4
iPhone OS<18.4
debian/webkit2gtk<=2.44.2-1~deb11u1<=2.46.6-1~deb11u1<=2.46.6-1~deb12u1
2.48.1-2~deb12u1
2.48.1-2
debian/wpewebkit<=2.38.6-1~deb11u1<=2.38.6-1
2.48.1-1

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Peer vulnerabilities

(Found alongside the following vulnerabilities)

Frequently Asked Questions

  • What is the severity of CVE-2025-24208?

    CVE-2025-24208 has been categorized as a medium severity vulnerability.

  • How do I fix CVE-2025-24208?

    To fix CVE-2025-24208, upgrade to Safari 18.4, iOS 18.4, or iPadOS 18.4.

  • What type of vulnerability is CVE-2025-24208?

    CVE-2025-24208 is a permissions issue that could lead to a cross-site scripting attack.

  • Which versions are affected by CVE-2025-24208?

    CVE-2025-24208 affects versions earlier than Safari 18.4, iOS 18.4, and iPadOS 18.4.

  • Can CVE-2025-24208 be exploited remotely?

    Yes, CVE-2025-24208 can be exploited remotely through a malicious iframe.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203