CRITICAL🇵🇱 Wersja polska

CVE-2025-30466

CVSS 9.8v3.1pub. 2025-05-29upd. 2026-04-02

This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4. A website may be able to bypass Same Origin Policy.

🤖 AI Analysis
How it works

The problem results from improper state management in the Safari browser engine. Through this vulnerability, a malicious website can bypass the Same Origin Policy mechanism, which normally prevents websites from accessing resources and data belonging to other domains. Apple fixed the bug by improving state management.

Impact

An attacker can gain unauthorized access to data from other domains visited by the victim, which may lead to session hijacking, cookie theft, sensitive information disclosure, or manipulation of content in the context of other websites.

Mitigation & patch

Update to the following versions: Safari 18.4, iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, or visionOS 2.4. Patches are available through standard Apple updates — details available at the manufacturer's reference addresses.

Who is affected

Safari before version 18.4, iOS and iPadOS before version 18.4, macOS Sequoia before version 15.4, visionOS before version 2.4

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apple iPadOS

    OS
    Apple
    < 18.4
  • Apple iOS

    OS
    Apple
    < 18.4
  • Apple macOS

    OS
    Apple
    < 15.4
  • Apple Safari

    APP
    Apple
    < 18.4
  • Apple Visionos

    OS
    Apple
    < 2.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-43300CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu

CVE-2025-31200CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple — memory corruption (RCE) w przetwarzaniu strumieni audio

CVE-2025-31201CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki