CVE-2025-24259
📋 TL;DR
This vulnerability allows malicious applications to access Safari bookmarks without proper authorization checks. It affects macOS systems running vulnerable versions of Ventura, Sequoia, and Sonoma. The flaw bypasses entitlement requirements that should restrict bookmark access to authorized applications only.
💻 Affected Systems
- macOS
📦 What is this software?
Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →Macos by Apple
macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...
Learn more about Macos →⚠️ Risk & Real-World Impact
Worst Case
Malicious app steals all Safari bookmarks containing sensitive URLs, credentials, or personal information, potentially leading to credential theft, account compromise, or targeted phishing attacks.
Likely Case
Malware or compromised applications silently exfiltrate browser bookmarks containing personal or work-related URLs, compromising user privacy and potentially exposing sensitive information.
If Mitigated
With proper app vetting and security controls, only trusted applications run on the system, limiting exposure to this vulnerability.
🎯 Exploit Status
Exploitation requires a malicious application to be installed and executed on the target system. The vulnerability is in the entitlement check mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5
Vendor Advisory: https://support.apple.com/en-us/122373
Restart Required: Yes
Instructions:
1. Open System Settings. 2. Click General. 3. Click Software Update. 4. Install available updates. 5. Restart when prompted.
🔧 Temporary Workarounds
Restrict Application Installation
allOnly allow installation of applications from the App Store and identified developers in System Settings
🧯 If You Can't Patch
- Implement application allowlisting to prevent unauthorized applications from running
- Use mobile device management (MDM) to enforce security policies and restrict application installation
🔍 How to Verify
Check if Vulnerable:
Check macOS version in System Settings > General > About. If version is Ventura <13.7.5, Sequoia <15.4, or Sonoma <14.7.5, system is vulnerable.Check Version:
sw_versVerify Fix Applied:
Verify macOS version is Ventura 13.7.5, Sequoia 15.4, or Sonoma 14.7.5 or later in System Settings > General > About.📡 Detection & Monitoring
Log Indicators:
- Unusual application accessing Safari bookmark files
- Processes accessing ~/Library/Safari/Bookmarks.plist without proper entitlements
Network Indicators:
- Unexpected outbound connections from applications shortly after accessing bookmark files
SIEM Query:
process_name:access AND target_path:*Safari*Bookmarks* AND NOT entitlement:*com.apple.private.safari*🔗 References
- https://support.apple.com/en-us/122373
- https://support.apple.com/en-us/122374
- https://support.apple.com/en-us/122375
- http://seclists.org/fulldisclosure/2025/Apr/10
- http://seclists.org/fulldisclosure/2025/Apr/8
- http://seclists.org/fulldisclosure/2025/Apr/9
- http://seclists.org/fulldisclosure/2025/May/6
