CVE-2025-24246 - Vulnerability Details

Description

An injection issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to access user-sensitive data.

Published: 2025-03-31

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An injection flaw in macOS was discovered, wherein an application could inject malformed input to bypass data validation. The vulnerability is classified as an information exposure issue (CWE‑200) and permits an attacker to read sensitive user data from the affected system. The flaw does not grant code execution or privilege escalation; its primary impact is confidentiality loss.

Affected Systems

Apple macOS is affected, with the issue addressed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, and macOS Ventura 13.7.5. Any earlier releases that have not applied these updates remain vulnerable. The vulnerability applies to the operating system itself, so the resilience of any installed third‑party software also depends on those updates.

Risk and Exploitability

The CVSS score of 9.8 signals a critical severity. However, the EPSS value of less than 1 % indicates that, as of now, exploitation opportunities are very low. The vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation. It is inferred that the attack vector relies on injection of crafted input, likely from a local application, rather than remote attack. The expected consequence is data compromise with minimal other system impacts.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apple

macOS

affected

Version	Status	Constraints
`0`	affected	< 13.7.5
`0`	affected	< 14.7.5
`0`	affected	< 15.4

Configuration 1 [-]

OR	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:macos::::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update macOS to Sequoia 15.4 or later, Sonoma 14.7.5 or later, or Ventura 13.7.5 or later to obtain the injection validation fix.
Revoke or restrict permissions for applications that read sensitive user data, ensuring only trusted apps retain necessary access.
Review and configure Application Gatekeeper settings to block untrusted or outdated applications that might exploit the flaw.

Generated by OpenCVE AI on April 28, 2026 at 19:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-8962	An injection issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access user-sensitive data.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00698.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
http://seclists.org/fulldisclosure/2025/Apr/10
http://seclists.org/fulldisclosure/2025/Apr/8
http://seclists.org/fulldisclosure/2025/Apr/9
https://support.apple.com/en-us/122373
https://support.apple.com/en-us/122374
https://support.apple.com/en-us/122375

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description	An injection issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access user-sensitive data.	An injection issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. An app may be able to access user-sensitive data.

Mon, 03 Nov 2025 22:30:00 +0000

Type	Values Removed	Values Added
References		http://seclists.org/fulldisclosure/2025/Apr/10 http://seclists.org/fulldisclosure/2025/Apr/8 http://seclists.org/fulldisclosure/2025/Apr/9

Mon, 07 Apr 2025 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple macos
CPEs		cpe:2.3:o:apple:macos::::::::
Vendors & Products		Apple Apple macos

Tue, 01 Apr 2025 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 31 Mar 2025 22:45:00 +0000

Type	Values Removed	Values Added
Description		An injection issue was addressed with improved validation. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access user-sensitive data.
References		https://support.apple.com/en-us/122373 https://support.apple.com/en-us/122374 https://support.apple.com/en-us/122375

Subscriptions

Apple Macos

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2025-03-31T22:23:14.438Z

Updated: 2026-04-02T18:16:17.381Z

Reserved: 2025-01-17T00:00:45.009Z

Link: CVE-2025-24246

Vulnrichment

Updated: 2025-11-03T21:10:46.734Z

NVD

Status : Modified

Published: 2025-03-31T23:15:21.820

Modified: 2026-04-02T19:19:26.420

Link: CVE-2025-24246

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T19:15:25Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object