The Digital Security Authority (DSA) wants to bring to your attention a vulnerability affecting WebKit .
Technical Details
This vulnerability is present in WebKit's handling of out-of-bounds write operations, which allows an attacker to execute arbitrary code and escape the Web Content sandbox. This could enable an attacker to bypass security controls and execute malicious code outside of the intended environment.
If a user visits a malicious website, the attacker could exploit the out-of-bounds write vulnerability in WebKit to modify memory outside of its allocated bounds. This could lead to arbitrary code execution and enable the attacker to escape the Web Content sandbox, gaining higher-level access to the system. The vulnerability is particularly dangerous because it has already been exploited in targeted attacks on older versions of iOS, suggesting a high risk for targeted exploitation
Affected Products:
- iOS – Versions prior to iOS 18.3.2
- iPadOS – Versions prior to iPadOS 18.3.2
- macOS – Versions prior to macOS Sequoia 15.3.2
- Safari – Versions prior to Safari 18.3.1
- visionOS – Versions prior to visionOS 2.3.2
Fixed Versions:
To mitigate the risks associated with CVE-2025-24201, Apple has released security updates that address the vulnerability through improved bounds checking:
- iOS - Version 18.3.2
- iPadOS - Version 18.3.2
- macOS - Version Sequoia 15.3.2
- Safari - Version 18.3.1
- visionOS - Version 2.3.2
Recommendations
The Digital Security Authority recommends updating the affected products version by updating to the latest corresponding versions of iOS (18.3.2), iPadOS (18.3.2), macOS (Sequoia 15.3.2), Safari (18.3.1), and visionOS (2.3.2) to ensure their devices are protected.
References
The information presented in this report is based on available data up to the 14th of March 2025.