First published: Mon Mar 31 2025(Updated: )
A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4. Loading a malicious iframe may lead to a cross-site scripting attack.
Credit: Zhongcheng Li IES Red Team of ByteDanceLehan Dilusha Sri Lanka @zorrosign an anonymous researcher Ron Masas BREAKPOINTHossein Lotfi @hosselot Trend Micro Zero Day InitiativeDominik Rath Martin Kreichgauer Google ChromeYutong Xiu Denis Tokarev @illusionofcha0s Google Threat Analysis Group pattern-f @pattern_F_ Jonathan Bar Or @yo_yo_yo_jbo MicrosoftCVE-2024-9681 Gergely Kalman @gergely_kalman Andr.Ess Kirin @Pwnrin LFY @secsys Fudan Universitymzzzz__ Anonymous Trend Micro Zero Day InitiativeWang Yu CyberservalMuhammad Zaid Ghifari (Mr.ZheeV) Kalimantan Utara Michael (Biscuit) Thomas - @social.lol @biscuit CVE-2024-48958 CVE-2025-27113 CVE-2024-56171 Alex Radocea SupernetworksDave G. Supernetworks风沐云烟 @binary_fmyy Minghao Lin @Y1nKoc Florian Draschbacher Jimmy Jax Reissner Dalibor Milanovic Mickey Jin @patch1t @RenwaX23 Jaydev Ahire Syarif Muhammad Sajjad Bing Shi Alibaba GroupWenchao Li Alibaba GroupXiaolong Bai Alibaba GroupLuyi Xing Indiana University BloomingtonHalle Winkler Politepix theoffcuts.org Andrew James Gonzalez Bohdan Stasiuk @bohdan_stasiuk YingQi Shi @Mas0nShi DBAppSecurity's WeBin labRichard Hyunho Im with routezero.security @richeeta Alexander Heinrich @Sn0wfreeze SEEMOO TU Darmstadt & Mathy Vanhoef @vanhoefm Jeroen Robben @RobbenJeroen DistriNet KU Leuven Vsevolod Kokorin (Slonser) SolidlabGary Kwong Paul Bakker ParagonERPGoogle V8 Security Team Francisco Alonso @revskills rheza @ginggilBesel product-security@apple.com
Affected Software | Affected Version | How to fix |
---|---|---|
Apple iOS and iPadOS | <18.4 | 18.4 |
Apple iOS, iPadOS, and macOS | <18.4 | 18.4 |
Safari | <18.4 | 18.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Found alongside the following vulnerabilities)
CVE-2025-24208 has been categorized as a medium severity vulnerability.
To fix CVE-2025-24208, upgrade to Safari 18.4, iOS 18.4, or iPadOS 18.4.
CVE-2025-24208 is a permissions issue that could lead to a cross-site scripting attack.
CVE-2025-24208 affects versions earlier than Safari 18.4, iOS 18.4, and iPadOS 18.4.
Yes, CVE-2025-24208 can be exploited remotely through a malicious iframe.