Description
The issue was addressed with improved input sanitization. This issue is fixed in iOS 18.4 and iPadOS 18.4. Processing a maliciously crafted file may lead to a cross site scripting attack.
Published: 2025-03-31
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

A maliciously crafted file can be processed by the operating system and trigger the execution of arbitrary JavaScript, leading to a cross‑site scripting attack. The flaw stems from insufficient input sanitization during file handling, allowing attacker‑supplied content to be executed in a browser context.

Affected Systems

Apple iOS and iPadOS are affected. The vulnerability exists in all iOS versions prior to 18.4 and in all iPadOS versions prior to 18.4. The security fix is included in iOS 18.4 and iPadOS 18.4 and is not available in earlier releases.

Risk and Exploitability

The CVSS score of 5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in CISA KEV. The likely attack vector is execution of a malicious file that the user opens or that is transferred to the device through an application, email attachment, or file sharing service. Exploitation requires local file access, but once a file is processed the JavaScript can run with the privileges of the device’s web view.

Generated by OpenCVE AI on April 28, 2026 at 03:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the device to iOS 18.4 or iPadOS 18.4, which includes the improved input sanitization fixes.
  • Ensure that any third‑party apps that handle file content are also updated, as older app libraries may re‑expose the flaw.
  • Restrict the acceptance of unknown or untrusted files on the device, for example by disabling automatic downloads from email attachments or by using application‑level file‑type checks.

Generated by OpenCVE AI on April 28, 2026 at 03:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8920 The issue was addressed with improved input sanitization. This issue is fixed in iOS 18.4 and iPadOS 18.4. Processing a maliciously crafted file may lead to a cross site scripting attack.
History

Tue, 28 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting via Malicious File Processing in iOS 18 and iPadOS 18

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os

Tue, 01 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved input sanitization. This issue is fixed in iOS 18.4 and iPadOS 18.4. Processing a maliciously crafted file may lead to a cross site scripting attack.
References

Subscriptions

Apple Ipados Iphone Os
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:14:55.383Z

Reserved: 2025-03-22T00:04:43.717Z

Link: CVE-2025-30434

cve-icon Vulnrichment

Updated: 2025-04-01T14:15:18.315Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:25.600

Modified: 2025-11-03T22:18:45.327

Link: CVE-2025-30434

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T03:15:05Z

Weaknesses