CVE-2025-43229

Root

Cause

CVE-2025-43229 is a vulnerability in the WebKit rendering engine that could lead to universal cross-site scripting (UXSS). The issue, discovered by Martin Bajanik of Fingerprint and Ammar Askar, was addressed through improved state management in WebKit [1][4]. This type of flaw occurs when the browser incorrectly handles security contexts, allowing scripts from one origin to execute in the context of another.

Exploitation

The attack vector requires processing maliciously crafted web content, such as a specially designed webpage. No additional user interaction beyond visiting the malicious page is necessary for exploitation. The vulnerability is present in Safari on both macOS and iOS, as well as any application using WebKit on these platforms [4].

Impact

Successful exploitation can lead to universal cross-site scripting, enabling an attacker to inject arbitrary scripts into the user's browser session. This may allow stealing cookies, session tokens, or performing actions on behalf of the user across different websites, bypassing standard same-origin policy protections.

Mitigation

Apple has released fixes in Safari 18.6, available for macOS Ventura and macOS Sonoma, and in macOS Sequoia 15.6 [1][3]. Users should update their devices to the latest versions to protect against this vulnerability.