Medium severity6.5NVD Advisory· Published May 12, 2025· Updated Apr 2, 2026

CVE-2025-31205

Description

The issue was addressed with improved checks. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. A malicious website may exfiltrate data cross-origin.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A cross-origin data exfiltration vulnerability in Safari allows a malicious website to leak data across origins, patched in Apple's May 2025 updates.

Root

Cause

CVE-2025-31205 is a cross-origin data exfiltration vulnerability in WebKit, the browser engine used by Safari. The issue was present in Safari 18.4 and earlier versions on affected platforms, where insufficient checks allowed a malicious website to bypass same-origin policy restrictions [1][2].

Exploitation

The vulnerability is triggered by simply visiting a malicious website in an affected version of Safari. No user interaction beyond standard browsing is required; the attacker-controlled site can execute crafted web content to leak data from other origins [1]. Apple's advisory describes the fix as "improved checks" but does not disclose further technical details [2].

Impact

Successful exploitation enables a malicious website to exfiltrate data cross-origin, potentially exposing sensitive information such as authentication tokens, cookies, or other site-specific data that should be isolated. The CVSS v3 score of 6.5 reflects medium severity with a network attack vector and low attack complexity [1].

Mitigation

Apple released patches on May 12, 2025, in Safari 18.5, iOS/iPadOS 18.5, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, and watchOS 11.5 [1][2][3][4]. Users should update their devices immediately. No workarounds were provided.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Safari
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Range: <18.5
Apple Inc./Ipados
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
Range: <18.5
Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <18.5
Apple Inc./macOS
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Range: <15.5
Apple Inc./tvOS
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
Range: <18.5
Apple Inc./Visionos
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Range: <2.5
Apple Inc./watchOS
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Range: <11.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.apple.com/en-us/122404nvdRelease NotesVendor Advisory
support.apple.com/en-us/122716nvdRelease NotesVendor Advisory
support.apple.com/en-us/122719nvdRelease NotesVendor Advisory
support.apple.com/en-us/122720nvdRelease NotesVendor Advisory
support.apple.com/en-us/122721nvdRelease NotesVendor Advisory
support.apple.com/en-us/122722nvdRelease NotesVendor Advisory
seclists.org/fulldisclosure/2025/May/10nvd
seclists.org/fulldisclosure/2025/May/12nvd
seclists.org/fulldisclosure/2025/May/13nvd
seclists.org/fulldisclosure/2025/May/5nvd
seclists.org/fulldisclosure/2025/May/7nvd
lists.debian.org/debian-lts-announce/2025/06/msg00016.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000