Description
The issue was addressed with improved checks. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A website may be able to access sensor information without user consent.
Published: 2025-03-31
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to sensor information
Action: Patch immediately
AI Analysis

Impact

An improved check designed to prevent unauthorized sensor data leakage failed, allowing a website to read certain device sensors without the user’s explicit permission. The flaw creates a potential privacy violation by exposing sensor data that should be gated behind user consent, as identified by the missing authentication weakness (CWE-305).

Affected Systems

The vulnerability affects Apple’s core browsers and operating systems: Safari, iOS, iPadOS, and macOS. Discrepancies exist in versions prior to Safari 18.4, iOS 18.4, iPadOS 18.4, and macOS Sequoia 15.4, which have since been patched by Apple.

Risk and Exploitability

The CVSS score of 6.7 indicates moderate impact, with a very low EPSS of < 1% suggesting limited exploitation likelihood at present. The issue is not yet listed in CISA’s KEV catalog. Attackers could exploit the flaw via a malicious or compromised site, delivering scripts that read sensor data remotely once a user visits the malicious page. Proper validation and updated software mitigate this risk.

Generated by OpenCVE AI on April 28, 2026 at 11:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Safari to version 18.4 or later on all supported devices
  • Upgrade iOS and iPadOS to version 18.4
  • Apply macOS Sequoia 15.4 or later updates

Generated by OpenCVE AI on April 28, 2026 at 11:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8891 The issue was addressed with improved checks. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A website may be able to access sensor information without user consent.
History

Tue, 28 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Website Can Read Sensor Information Without User Consent

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 07 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple
Apple ipados
Apple iphone Os
Apple macos
Apple safari

Thu, 03 Apr 2025 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-305
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 31 Mar 2025 22:45:00 +0000

Type Values Removed Values Added
Description The issue was addressed with improved checks. This issue is fixed in Safari 18.4, iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4. A website may be able to access sensor information without user consent.
References

Subscriptions

Apple Ipados Iphone Os Macos Safari
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:08:20.753Z

Reserved: 2025-03-27T16:13:58.312Z

Link: CVE-2025-31192

cve-icon Vulnrichment

Updated: 2025-04-02T14:18:31.263Z

cve-icon NVD

Status : Modified

Published: 2025-03-31T23:15:29.230

Modified: 2025-11-03T22:18:50.660

Link: CVE-2025-31192

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:00:13Z

Weaknesses