Summary
Apple has released a security update to address a zero-day vulnerability in the WebKit web rendering engine. This vulnerability could allow arbitrary code execution on affected devices.
Note: The vendor states that CVE-2025-24201 is being actively exploited online.
Risk
Vulnerability community impact estimate: Critical (79.23)
Type
- Security Feature Bypass
- Arbitrary Code Execution
Description and potential impacts
Active exploitation of the CVE-2025-24201 vulnerability related to WebKit, Apple’s web rendering engine used primarily in the Safari browser and other applications that need to display web content, has recently been detected.
This vulnerability – of the “Out-of-Bounds Write” type and with a CVSS v3.1 score of 9.8 – can be used to bypass the security mechanisms present in the WebKit sandbox, through appropriately crafted web content, in order to execute arbitrary code on vulnerable instances.
Affected products and/or versions
Apple
- iOS, versions prior to 18.3.2
- iPadOS, versions prior to 18.3.2
- macOS Sequoia, versions prior to 15.3.2
- visionOS, versions prior to 2.3.2
- Safari, versions prior to 18.3.1
Mitigation actions
In line with the vendor’s statements, it is recommended to apply the patches following the instructions reported in the security bulletins, available in the References section.
References
https://support.apple.com/en-us/122285
https://support.apple.com/en-us/122281
https://support.apple.com/en-us/122283
https://support.apple.com/en-us/122284
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
