Description
A path handling issue was addressed with improved logic. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, visionOS 2.4, watchOS 11.4. An app may be able to read sensitive location information.
Published: 2025-03-31
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Read Sensitive Location Data
Action: Apply Patch
AI Analysis

Impact

A path handling flaw in Apple operating systems can allow a malicious application to access files that contain location data, enabling the app to read the device’s geographic coordinates. The weakness is a directory traversal problem (CWE-22). The vulnerability enables information disclosure of location data but does not provide privileges beyond that data.

Affected Systems

Apple devices running iOS, iPadOS, macOS, visionOS and watchOS that have not been updated to the fixed releases are affected. Versions iOS 18.3 and older, iPadOS 18.3 and older, macOS Sequoia 15.3 and older, macOS Sonoma 14.6.4 and older, macOS Ventura 13.6.4 and older, visionOS 2.3 and older, and watchOS 11.3 and older are vulnerable. The documented fix is available in iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, visionOS 2.4 and watchOS 11.4.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate risk, as reading location data can compromise confidentiality but does not allow higher‑level system access. The EPSS score of less than 1% reflects a very low predicted exploitation probability. The vulnerability is not in the CISA KEV catalog. Attackers would have to entice a user to install a malicious app that constructs a path designed to traverse the location service filesystem, after which the app can read the location files.

Generated by OpenCVE AI on April 28, 2026 at 18:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest OS version that includes the fix: iOS 18.4 or later, iPadOS 18.4 or later, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, visionOS 2.4 or later, and watchOS 11.4 or later
  • Disable or restrict location services for untrusted applications or require explicit user permission before granting access
  • Review installed applications and remove those that request location permissions unnecessarily

Generated by OpenCVE AI on April 28, 2026 at 18:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8892 A path handling issue was addressed with improved logic. This issue is fixed in visionOS 2.4, macOS Ventura 13.7.5, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to read sensitive location information.
History

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Title Path Handling Vulnerability Allowing App to Read Sensitive Location Information

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A path handling issue was addressed with improved logic. This issue is fixed in visionOS 2.4, macOS Ventura 13.7.5, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to read sensitive location information. A path handling issue was addressed with improved logic. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, visionOS 2.4, watchOS 11.4. An app may be able to read sensitive location information.
References

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Fri, 04 Apr 2025 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple visionos
CPEs cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple visionos

Tue, 01 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Tue, 01 Apr 2025 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22

Tue, 01 Apr 2025 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description A path handling issue was addressed with improved logic. This issue is fixed in visionOS 2.4, macOS Ventura 13.7.5, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to read sensitive location information.
References

Subscriptions

Apple Ipados Iphone Os Macos Visionos
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:26:57.916Z

Reserved: 2025-03-22T00:04:43.723Z

Link: CVE-2025-30470

cve-icon Vulnrichment

Updated: 2025-04-01T04:01:49.802Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:28.247

Modified: 2026-04-02T19:19:42.530

Link: CVE-2025-30470

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:00:20Z

Weaknesses