Medium severity4.3NVD Advisory· Published Jan 27, 2025· Updated Apr 2, 2026

CVE-2025-24128

Description

The issue was addressed by adding additional logic. This issue is fixed in Safari 18.3, iOS 18.3 and iPadOS 18.3, macOS Sequoia 15.3. Visiting a malicious website may lead to address bar spoofing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Visiting a malicious website may allow address bar spoofing in Safari due to a logic flaw fixed in iOS/iPadOS 18.3, macOS Sequoia 15.3, and Safari 18.3.

CVE-2025-24128 is an address bar spoofing vulnerability affecting Safari. The issue stems from a logic flaw in how the browser handles certain website requests, allowing a malicious site to manipulate the displayed URL in the address bar. Apple addressed the issue by adding additional logic to properly validate and present the correct URL [1].

Exploitation requires tricking the user into visiting a specially crafted malicious website. No other authentication or local network access is needed, making the attack surface broadly accessible through web browsing. The prerequisite is solely user interaction to navigate to the attacker-controlled site [2].

If successfully exploited, an attacker can make the address bar show a legitimate or trusted domain while the actual page content is malicious. This spoofing enables more effective phishing or social engineering attacks, as users may trust the displayed URL and divulge sensitive information [3].

Apple released fixes on January 27, 2025, in Safari 18.3, iOS 18.3 and iPadOS 18.3, and macOS Sequoia 15.3. Users are advised to update their devices to these versions to mitigate the vulnerability [1][3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Safari2 versions
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*range: <18.3
- (no CPE)range: <18.3
Apple Inc./Ipados
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
Range: <18.3
Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <18.3
Apple Inc./macOS
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Range: <15.3
Apple Inc./macOS Sequoiallm-fuzzy
Range: <15.3
Apple Inc./iOSllm-fuzzy
Range: <18.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.apple.com/en-us/122066nvdRelease NotesVendor Advisory
support.apple.com/en-us/122068nvdRelease NotesVendor Advisory
support.apple.com/en-us/122074nvdRelease NotesVendor Advisory
seclists.org/fulldisclosure/2025/Jan/13nvd
seclists.org/fulldisclosure/2025/Jan/15nvd
seclists.org/fulldisclosure/2025/Jan/20nvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000