Description
The issue was addressed with improved access restrictions to the file system. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, visionOS 2.3. A maliciously crafted webpage may be able to fingerprint the user.
Published: 2025-01-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: User fingerprinting via webpage
Action: Apply Patch
AI Analysis

Impact

A maliciously crafted webpage can read parts of the file system that should be inaccessible to a regular web page, allowing the browser to identify unique characteristics of the user’s environment. The flaw is a weakness in access control, classified under CWE‑862. The impact is primarily privacy‑related, potentially enabling an attacker to profile or identify the victim by revealing system configuration details.

Affected Systems

Apple’s web browser ecosystem—including Safari, iOS, iPadOS, macOS Sequoia, and visionOS—is affected. The vulnerability is fixed in Safari 18.3, iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, and visionOS 2.3. Based on the description, it is inferred that any version prior to these may remain vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and an EPSS score of less than 1% shows low current exploitation likelihood. It is not listed in the CISA KEV catalog. The likely attack vector is a user visiting a maliciously crafted webpage in the browser, without needing elevated privileges or additional network access. No remote code execution or privilege escalation is reported.

Generated by OpenCVE AI on April 28, 2026 at 12:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari to 18.3 or later, and update iOS, iPadOS, macOS Sequoia, and visionOS to the latest releases that include the file‑system access restriction fix; this is the official solution from Apple.
  • Until the update is applied, users should avoid browsing untrusted or suspicious websites that may contain fingerprinting payloads.
  • If an immediate update is not possible, consider disabling or uninstalling browser extensions that can access local files, as they could amplify the fingerprinting capability.

Generated by OpenCVE AI on April 28, 2026 at 12:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4051-1 webkit2gtk security update
Debian DSA Debian DSA DSA-5865-1 webkit2gtk security update
EUVD EUVD EUVD-2025-3650 The issue was addressed with improved access restrictions to the file system. This issue is fixed in macOS Sequoia 15.3, Safari 18.3, iOS 18.3 and iPadOS 18.3, visionOS 2.3. A maliciously crafted webpage may be able to fingerprint the user.
Ubuntu USN Ubuntu USN USN-7279-1 WebKitGTK vulnerabilities
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved access restrictions to the file system. This issue is fixed in macOS Sequoia 15.3, Safari 18.3, iOS 18.3 and iPadOS 18.3, visionOS 2.3. A maliciously crafted webpage may be able to fingerprint the user. The issue was addressed with improved access restrictions to the file system. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3, visionOS 2.3. A maliciously crafted webpage may be able to fingerprint the user.

Mon, 03 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els

Thu, 03 Apr 2025 03:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:9

Tue, 04 Mar 2025 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Wed, 12 Feb 2025 13:45:00 +0000

Type Values Removed Values Added
Title webkitgtk: A maliciously crafted webpage may be able to fingerprint the user
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 04 Feb 2025 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Jan 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple macos
Apple safari
Apple visionos
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple macos
Apple safari
Apple visionos
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Mon, 27 Jan 2025 22:00:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved access restrictions to the file system. This issue is fixed in macOS Sequoia 15.3, Safari 18.3, iOS 18.3 and iPadOS 18.3, visionOS 2.3. A maliciously crafted webpage may be able to fingerprint the user.
References

Subscriptions

Apple Ipados Macos Safari Visionos
Redhat Enterprise Linux Rhel Els
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:17:16.826Z

Reserved: 2025-01-17T00:00:44.975Z

Link: CVE-2025-24143

cve-icon Vulnrichment

Updated: 2025-11-03T21:03:50.424Z

cve-icon NVD

Status : Modified

Published: 2025-01-27T22:15:18.893

Modified: 2026-04-02T19:19:06.760

Link: CVE-2025-24143

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-01-27T21:46:05Z

Links: CVE-2025-24143 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:15:30Z

Weaknesses