CVE-2025-24208 - Vulnerability Details

- webkitgtk: Loading a malicious iframe may lead to a cross-site scripting attack

Description

A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4. Loading a malicious iframe may lead to a cross-site scripting attack.

Published: 2025-03-31

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is a permissions issue that allows a malicious iframe to bypass normal sandboxing and execute script code within the context of a trusted web page, resulting in a cross‑site scripting attack. The vulnerability is specifically listed as being fixed in Safari 18.4, iOS 18.4, and iPadOS 18.4 and was observed when an attacker hosts a crafted iframe on an otherwise benign site.

Affected Systems

Apple Safari, iOS, and iPadOS are affected. The patch versions that address the issue are Safari 18.4, iOS 18.4, and iPadOS 18.4. RedHat Enterprise Linux 8, RedHat Enterprise Linux 9, and associated extended support releases (RHEL AU, E4S, EUS, TUS) are also affected. No other vendors or products are reported to be impacted at this time.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity, and the EPSS score of less than 1% shows a very low likelihood of exploitation. The vulnerability is not listed in CISA KEV. Based on the description, the attack vector is likely the loading of a malicious iframe within a web page in the browser, requiring the victim to visit or interact with the compromised content.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apple

Safari

affected

Version	Status	Constraints
`0`	affected	< 18.4

Apple

iOS and iPadOS

affected

Version	Status	Constraints
`0`	affected	< 18.4

Configuration 1 [-]

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7 Extended Lifecycle Support
webkitgtk4-0:2.48.3-2.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2025:10364	2025-07-07T00:00:00Z
Red Hat Enterprise Linux 8
webkit2gtk3-0:2.48.1-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:3974	2025-04-17T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
webkit2gtk3-0:2.48.1-2.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:8194	2025-05-27T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
webkit2gtk3-0:2.48.1-2.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:8064	2025-05-21T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
webkit2gtk3-0:2.48.1-2.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2025:8064	2025-05-21T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
webkit2gtk3-0:2.48.1-2.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2025:8064	2025-05-21T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
webkit2gtk3-0:2.48.1-2.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:8066	2025-05-21T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
webkit2gtk3-0:2.48.1-2.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:8066	2025-05-21T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
webkit2gtk3-0:2.48.1-2.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:8066	2025-05-21T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
webkit2gtk3-0:2.48.1-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:4445	2025-05-05T00:00:00Z
Red Hat Enterprise Linux 9
webkit2gtk3-0:2.48.1-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:3713	2025-04-08T00:00:00Z
webkit2gtk3-0:2.48.1-1.el9_6	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:7387	2025-05-13T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
webkit2gtk3-0:2.48.1-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:8065	2025-05-21T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
webkit2gtk3-0:2.48.1-3.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:3756	2025-04-09T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
webkit2gtk3-0:2.48.1-2.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:3755	2025-04-09T00:00:00Z

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Safari, iOS, or iPadOS update (18.4 or newer).
Update RedHat Enterprise Linux or the WebKitGTK library to the latest patched version via the package manager.
Avoid opening untrusted web pages that may contain malicious iframes; consider using content‑filtering or browser extensions to block unknown iframes.

Generated by OpenCVE AI on April 28, 2026 at 11:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4218-1	webkit2gtk security update
Debian DSA	DSA-5899-1	webkit2gtk security update
EUVD	EUVD-2025-8987	A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4. Loading a malicious iframe may lead to a cross-site scripting attack.
Ubuntu USN	USN-7436-1	WebKitGTK vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00315.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://seclists.org/fulldisclosure/2025/Apr/2
http://seclists.org/fulldisclosure/2025/Apr/4
https://lists.debian.org/debian-lts-announce/2025/06/msg00016.html
https://nvd.nist.gov/vuln/detail/CVE-2025-24208
https://support.apple.com/en-us/122371
https://support.apple.com/en-us/122379
https://webkitgtk.org/security/WSA-2025-0003.html
https://www.cve.org/CVERecord?id=CVE-2025-24208

History

Mon, 03 Nov 2025 21:30:00 +0000

Type	Values Removed	Values Added
References		http://seclists.org/fulldisclosure/2025/Apr/2 http://seclists.org/fulldisclosure/2025/Apr/4

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/06/msg00016.html

Mon, 07 Jul 2025 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Els
CPEs		cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Els

Tue, 27 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.2

Thu, 22 May 2025 03:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_tus:8.4 cpe:/a:redhat:rhel_tus:8.6
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus

Mon, 05 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_eus:8.8

Fri, 18 Apr 2025 03:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8

Thu, 10 Apr 2025 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_eus:9.4
Vendors & Products		Redhat rhel Eus

Wed, 09 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux

Tue, 08 Apr 2025 02:00:00 +0000

Type	Values Removed	Values Added
Title		webkitgtk: Loading a malicious iframe may lead to a cross-site scripting attack
References		https://nvd.nist.gov/vuln/detail/CVE-2025-24208 https://webkitgtk.org/security/WSA-2025-0003.html https://www.cve.org/CVERecord?id=CVE-2025-24208
Metrics	threat_severity `None`	threat_severity `Moderate`

Mon, 07 Apr 2025 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ipados Apple iphone Os Apple safari
CPEs		cpe:2.3:a:apple:safari:::::::: cpe:2.3:o:apple:ipados:::::::: cpe:2.3:o:apple:iphone_os::::::::
Vendors & Products		Apple Apple ipados Apple iphone Os Apple safari

Tue, 01 Apr 2025 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 31 Mar 2025 22:45:00 +0000

Type	Values Removed	Values Added
Description		A permissions issue was addressed with additional restrictions. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4. Loading a malicious iframe may lead to a cross-site scripting attack.
References		https://support.apple.com/en-us/122371 https://support.apple.com/en-us/122379

Subscriptions

Apple Ipados Iphone Os Safari

Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2025-03-31T22:23:30.722Z

Updated: 2026-04-02T18:19:19.101Z

Reserved: 2025-01-17T00:00:45.001Z

Link: CVE-2025-24208

Vulnrichment

Updated: 2025-04-01T20:40:45.456Z

NVD

Status : Modified

Published: 2025-03-31T23:15:18.773

Modified: 2025-11-03T21:19:34.200

Link: CVE-2025-24208

Redhat

Severity : Moderate

Publid Date: 2025-04-07T00:00:00Z

Links: CVE-2025-24208 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-28T11:45:30Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object