Description
A privacy issue was addressed with improved handling of files. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3. Copying a URL from Web Inspector may lead to command injection.
Published: 2025-01-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: OS Command Injection
Action: Immediate Patch
AI Analysis

Impact

Copying a URL from the Web Inspector in Safari, iOS, iPadOS, or macOS Sequoia can trigger execution of arbitrary commands on the host system. The vulnerability falls under CWE‑77, indicating that user input is improperly passed to a system shell without adequate validation. If an attacker can cause a user to copy a crafted URL, the system could run malicious commands, resulting in loss of confidentiality, integrity, and potentially availability of the affected device.

Affected Systems

Apple’s Safari browsers, including all iOS, iPadOS, and macOS platforms, are affected. The issue is resolved in Safari 18.3, iOS 18.3, iPadOS 18.3, and macOS Sequoia 15.3 and later. Users of earlier releases are at risk; no other vendors or product versions are explicitly listed as impacted beyond the Apple platforms.

Risk and Exploitability

The CVSS score of 8.8 marks this flaw as high severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation yet. Exploitation appears to rely on the user’s interaction with the Web Inspector feature, meaning that an attacker would need to persuade or trick a user into performing a copy action, or use a local compromise channel. Once leveraged, the attacker can run system commands from the host environment.

Generated by OpenCVE AI on April 28, 2026 at 03:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of Safari (18.3 or newer) and upgrade all iOS, iPadOS, and macOS systems to the 18.3 or 15.3 releases that contain the fix.
  • If an update is not immediately available, disable the Web Inspector feature or remove any extensions that provide it from the affected browsers to eliminate the attack surface.
  • Verify that no legacy or custom scripts are running within the Web Inspector environment; where possible, restrict local debugging interfaces to trusted administrators only.

Generated by OpenCVE AI on April 28, 2026 at 03:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4051-1 webkit2gtk security update
Debian DSA Debian DSA DSA-5865-1 webkit2gtk security update
EUVD EUVD EUVD-2025-3654 A privacy issue was addressed with improved handling of files. This issue is fixed in macOS Sequoia 15.3, Safari 18.3, iOS 18.3 and iPadOS 18.3. Copying a URL from Web Inspector may lead to command injection.
Ubuntu USN Ubuntu USN USN-7279-1 WebKitGTK vulnerabilities
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A privacy issue was addressed with improved handling of files. This issue is fixed in macOS Sequoia 15.3, Safari 18.3, iOS 18.3 and iPadOS 18.3. Copying a URL from Web Inspector may lead to command injection. A privacy issue was addressed with improved handling of files. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3. Copying a URL from Web Inspector may lead to command injection.

Mon, 03 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Jul 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els

Thu, 03 Apr 2025 03:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:9

Tue, 04 Mar 2025 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Wed, 12 Feb 2025 13:45:00 +0000

Type Values Removed Values Added
Title webkitgtk: Copying a URL from Web Inspector may lead to command injection
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 05 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 30 Jan 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Weaknesses CWE-77
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 27 Jan 2025 22:00:00 +0000

Type Values Removed Values Added
Description A privacy issue was addressed with improved handling of files. This issue is fixed in macOS Sequoia 15.3, Safari 18.3, iOS 18.3 and iPadOS 18.3. Copying a URL from Web Inspector may lead to command injection.
References

Subscriptions

Apple Ipados Iphone Os Macos Safari
Redhat Enterprise Linux Rhel Els
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:24:31.554Z

Reserved: 2025-01-17T00:00:44.976Z

Link: CVE-2025-24150

cve-icon Vulnrichment

Updated: 2025-11-03T21:04:16.822Z

cve-icon NVD

Status : Modified

Published: 2025-01-27T22:15:19.270

Modified: 2026-04-02T19:19:07.940

Link: CVE-2025-24150

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-01-27T21:46:32Z

Links: CVE-2025-24150 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:00:05Z

Weaknesses