CVE-2025-30425 - Vulnerability Details

- Safari Private Browsing Tracking Vulnerability

Description

This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, watchOS 11.4. A malicious website may be able to track users in Safari private browsing mode.

Published: 2025-03-31

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability involves a flaw in the state management of Safari’s private browsing mode that could allow a malicious website to track users. The issue stems from a failure to enforce strict access control on private browsing sessions, a weakness classified as CWE-284 (Improper Control of Access Permissions), which may expose identifying data that should remain hidden when the user is in private mode. The resulting privacy breach could enable persistent tracking or profiling of users who rely on private browsing to avoid data leakage.

Affected Systems

The affected Apple products are Safari, iOS, iPadOS, macOS, tvOS, and watchOS. The specific vulnerable releases are Safari 18.4, iOS 18.4, iPadOS 18.4 or 17.7.6, macOS Sequoia 15.4, tvOS 18.4, and watchOS 11.4.

Risk and Exploitability

The CVSS score of 4.3 indicates a low severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to host a malicious webpage and entice a user to visit that page while the user is in Safari’s private browsing mode. The data provided does not describe a publicly available exploit, so the threat remains theoretical, though the privacy implications are significant for users employing private browsing for anonymity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apple

Safari

affected

Version	Status	Constraints
`0`	affected	< 18.4

Apple

iOS and iPadOS

affected

Version	Status	Constraints
`0`	affected	< 18.4

Apple

iPadOS

affected

Version	Status	Constraints
`0`	affected	< 17.7.6

Apple

macOS

affected

Version	Status	Constraints
`0`	affected	< 15.4

Apple

tvOS

affected

Version	Status	Constraints
`0`	affected	< 18.4

Apple

watchOS

affected

Version	Status	Constraints
`0`	affected	< 11.4

Configuration 1 [-]

OR	cpe:2.3:a:apple:safari::::::::
	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:ipados::::::::
	cpe:2.3:o:apple:iphone_os::::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:tvos::::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Safari update 18.4 and the corresponding iOS and iPadOS updates (iOS 18.4 or iPadOS 18.4 / 17.7.6) to address the private browsing state‑management flaw.
Upgrade macOS Sequoia to 15.4, which includes the fix for the same issue in the desktop browser.
Install the newest tvOS 18.4 and watchOS 11.4 releases to secure those Apple platforms.

Generated by OpenCVE AI on April 28, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-8928	This issue was addressed through improved state management. This issue is fixed in tvOS 18.4, Safari 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A malicious website may be able to track users in Safari private browsing mode.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00399.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://seclists.org/fulldisclosure/2025/Apr/11
http://seclists.org/fulldisclosure/2025/Apr/13
http://seclists.org/fulldisclosure/2025/Apr/2
http://seclists.org/fulldisclosure/2025/Apr/4
http://seclists.org/fulldisclosure/2025/Apr/5
http://seclists.org/fulldisclosure/2025/Apr/8
https://support.apple.com/en-us/122371
https://support.apple.com/en-us/122372
https://support.apple.com/en-us/122373
https://support.apple.com/en-us/122376
https://support.apple.com/en-us/122377
https://support.apple.com/en-us/122379

History

Tue, 28 Apr 2026 23:15:00 +0000

Type	Values Removed	Values Added
Title		Safari Private Browsing Tracking Vulnerability

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description	This issue was addressed through improved state management. This issue is fixed in tvOS 18.4, Safari 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A malicious website may be able to track users in Safari private browsing mode.	This issue was addressed through improved state management. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, tvOS 18.4, watchOS 11.4. A malicious website may be able to track users in Safari private browsing mode.
References		https://support.apple.com/en-us/122376

Mon, 03 Nov 2025 22:30:00 +0000

Type	Values Removed	Values Added
References		http://seclists.org/fulldisclosure/2025/Apr/11 http://seclists.org/fulldisclosure/2025/Apr/2 http://seclists.org/fulldisclosure/2025/Apr/4 http://seclists.org/fulldisclosure/2025/Apr/5 http://seclists.org/fulldisclosure/2025/Apr/8

Mon, 03 Nov 2025 20:30:00 +0000

Type	Values Removed	Values Added
References		http://seclists.org/fulldisclosure/2025/Apr/13

Mon, 07 Apr 2025 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apple Apple ipados Apple iphone Os Apple macos Apple safari Apple tvos
CPEs		cpe:2.3:a:apple:safari:::::::: cpe:2.3:o:apple:ipados:::::::: cpe:2.3:o:apple:iphone_os:::::::: cpe:2.3:o:apple:macos:::::::: cpe:2.3:o:apple:tvos::::::::
Vendors & Products		Apple Apple ipados Apple iphone Os Apple macos Apple safari Apple tvos

Wed, 02 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 02 Apr 2025 14:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}`

Mon, 31 Mar 2025 22:45:00 +0000

Type	Values Removed	Values Added
Description		This issue was addressed through improved state management. This issue is fixed in tvOS 18.4, Safari 18.4, iPadOS 17.7.6, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A malicious website may be able to track users in Safari private browsing mode.
References		https://support.apple.com/en-us/122371 https://support.apple.com/en-us/122372 https://support.apple.com/en-us/122373 https://support.apple.com/en-us/122377 https://support.apple.com/en-us/122379

Subscriptions

Apple Ipados Iphone Os Macos Safari Tvos

MITRE

Status: PUBLISHED

Assigner: apple

Published: 2025-03-31T22:22:50.104Z

Updated: 2026-04-02T18:11:38.169Z

Reserved: 2025-03-22T00:04:43.716Z

Link: CVE-2025-30425

Vulnrichment

Updated: 2025-04-02T13:32:01.621Z

NVD

Status : Modified

Published: 2025-03-31T23:15:24.847

Modified: 2026-04-02T19:19:33.937

Link: CVE-2025-30425

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T23:00:13Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object