Description
A logic issue was addressed with improved checks. This issue is fixed in Safari 18.6, macOS Sequoia 15.6. A download's origin may be incorrectly associated.
Published: 2025-07-29
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Origin misattribution
Action: Patch
AI Analysis

Impact

A flaw in the WebKit download handling logic can cause the browser to record a downloaded file’s origin incorrectly. This logic error leads to an improper association between the file and the webpage that initiated the download. The impact is that security checks relying on the reported origin—such as content‑security‑policy enforcement or download‑origin filtering—may be misapplied, allowing a file to be treated as coming from a trusted source when it does not.

Affected Systems

Apple Safari and Apple macOS are affected. Versions earlier than Safari 18.6 and macOS Sequoia 15.6 lack the fix. Updating to these or later releases removes the flaw.

Risk and Exploitability

The CVSS base score of 6.2 categorizes the issue as medium severity, and the EPSS score of less than 1 % implies a low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that a malicious web page could initiate a download that triggers the misassociation, potentially allowing the file to be treated as originating from a trusted domain. Although no active exploits are reported, the risk remains until the patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 18:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Safari 18.6 or newer and macOS Sequoia 15.6 or newer to receive the WebKit fix.
  • Restart the machine after updating to activate the WebKit changes.
  • Until the patch is applied, configure Safari to block or prompt on downloads from untrusted origins, and keep Gatekeeper set to require signed software to prevent execution of potentially compromised files.

Generated by OpenCVE AI on April 28, 2026 at 18:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4276-1 webkit2gtk security update
Debian DSA Debian DSA DSA-5978-1 webkit2gtk security update
EUVD EUVD EUVD-2025-23066 A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6, Safari 18. 6. A download's origin may be incorrectly associated.
Ubuntu USN Ubuntu USN USN-7702-1 WebKitGTK vulnerabilities
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6, Safari 18. 6. A download's origin may be incorrectly associated. A logic issue was addressed with improved checks. This issue is fixed in Safari 18.6, macOS Sequoia 15.6. A download's origin may be incorrectly associated.

Tue, 04 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 05 Aug 2025 00:15:00 +0000

Type Values Removed Values Added
Title webkitgtk: A download’s origin may be incorrectly associated
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 01 Aug 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Apple safari
CPEs cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Vendors & Products Apple safari

Thu, 31 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-703
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 31 Jul 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Apple
Apple macos
Apple sequoia
Vendors & Products Apple
Apple macos
Apple sequoia

Wed, 30 Jul 2025 23:00:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6. A download's origin may be incorrectly associated. A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6, Safari 18. 6. A download's origin may be incorrectly associated.
References

Tue, 29 Jul 2025 23:45:00 +0000

Type Values Removed Values Added
Description A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6. A download's origin may be incorrectly associated.
References

Subscriptions

Apple Macos Safari Sequoia
cve-icon MITRE

Status: PUBLISHED

Assigner: apple

Published:

Updated: 2026-04-02T18:24:57.015Z

Reserved: 2025-04-16T15:24:37.091Z

Link: CVE-2025-43240

cve-icon Vulnrichment

Updated: 2025-11-04T21:10:35.941Z

cve-icon NVD

Status : Modified

Published: 2025-07-30T00:15:35.890

Modified: 2026-04-02T19:20:11.200

Link: CVE-2025-43240

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-07-29T23:29:26Z

Links: CVE-2025-43240 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:00:20Z

Weaknesses