Medium severity6.5NVD Advisory· Published May 12, 2025· Updated Apr 2, 2026

CVE-2025-31217

Description

The issue was addressed with improved input validation. This issue is fixed in Safari 18.5, iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, watchOS 11.5. Processing maliciously crafted web content may lead to an unexpected Safari crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2025-31217 is an input validation bug in Apple WebKit that can cause Safari to crash when processing maliciously crafted web content.

CVE-2025-31217 is an input validation vulnerability in Apple's WebKit engine, which powers Safari and other applications on Apple platforms. The issue stems from insufficient validation of specially crafted web content. Apple addressed the flaw by improving input validation, preventing the condition that leads to an unexpected crash [1][2][4].

Attack

Vector An attacker can exploit this vulnerability by luring a user to view a maliciously crafted web page (e.g., via a link in email or a compromised website). No other user interaction is required beyond visiting the page, and the attack can be triggered remotely over the network. The vulnerability affects Safari, as well as any application that uses WebKit to render web content on iOS, iPadOS, macOS, tvOS, visionOS, and watchOS.

Impact

Successful exploitation causes Safari (or the affected application) to unexpectedly crash, denying the user access to the browser and potentially disrupting workflows. While the crash itself does not allow code execution or data theft, it can be used as part of a denial-of-service (DoS) attack against the user's browser.

Mitigation

Apple has released patches in Safari 18.5, iOS 18.5 and iPadOS 18.5, iPadOS 17.7.7, macOS Sequoia 15.5, tvOS 18.5, visionOS 2.5, and watchOS 11.5. Users should update their devices to the latest available versions to mitigate the risk. No workarounds have been provided by Apple [1][2][3][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apple Inc./Safari
cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*
Range: <18.5
Apple Inc./Ipados
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*
Range: <17.7.7
Apple Inc./Iphone Os
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*
Range: <18.5
Apple Inc./macOS
cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*
Range: <15.5
Apple Inc./tvOS
cpe:2.3:o:apple:tvos:*:*:*:*:*:*:*:*
Range: <18.5
Apple Inc./Visionos
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*
Range: <2.5
Apple Inc./watchOS
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*
Range: <11.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.apple.com/en-us/122404nvdRelease NotesVendor Advisory
support.apple.com/en-us/122405nvdRelease NotesVendor Advisory
support.apple.com/en-us/122716nvdRelease NotesVendor Advisory
support.apple.com/en-us/122719nvdRelease NotesVendor Advisory
support.apple.com/en-us/122720nvdRelease NotesVendor Advisory
support.apple.com/en-us/122721nvdRelease NotesVendor Advisory
support.apple.com/en-us/122722nvdRelease NotesVendor Advisory
seclists.org/fulldisclosure/2025/May/10nvd
seclists.org/fulldisclosure/2025/May/12nvd
seclists.org/fulldisclosure/2025/May/13nvd
seclists.org/fulldisclosure/2025/May/5nvd
seclists.org/fulldisclosure/2025/May/6nvd
seclists.org/fulldisclosure/2025/May/7nvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000