CVE-2025-30466 – This vulnerability allows malicious websites to... (How to Fix)

Q: What is the severity of CVE-2025-30466?

CVE-2025-30466 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows malicious websites to bypass the Same Origin Policy in Apple's Safari browser and related WebKit-based browsers. This could enable cross-site data theft or session hijacking. All users of affected Apple operating systems with vulnerable browser versions are impacted.

📋 TL;DR

This vulnerability allows malicious websites to bypass the Same Origin Policy in Apple's Safari browser and related WebKit-based browsers. This could enable cross-site data theft or session hijacking. All users of affected Apple operating systems with vulnerable browser versions are impacted.

💻 Affected Systems

Products:

Safari
iOS
iPadOS
visionOS
macOS

Versions: Versions prior to Safari 18.4, iOS 18.4, iPadOS 18.4, visionOS 2.4, macOS Sequoia 15.4

Operating Systems: iOS, iPadOS, visionOS, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected Apple operating systems with WebKit-based browsers are vulnerable.

📦 What is this software?

Ipados by Apple

View all CVEs affecting Ipados →

Iphone Os by Apple

View all CVEs affecting Iphone Os →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Safari by Apple

View all CVEs affecting Safari →

Visionos by Apple

View all CVEs affecting Visionos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal sensitive data from other websites the user is logged into, hijack user sessions, perform actions on behalf of the user, or exfiltrate authentication tokens and cookies.

🟠

Likely Case

Malicious websites could read data from other open tabs/windows, potentially accessing personal information, financial data, or corporate applications the user has open.

🟢

If Mitigated

With proper browser isolation and network segmentation, impact would be limited to data within the same browser session rather than full system compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user to visit a malicious website but no authentication or special permissions are needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Safari 18.4, iOS 18.4, iPadOS 18.4, visionOS 2.4, macOS Sequoia 15.4

Vendor Advisory: https://support.apple.com/en-us/122371

Restart Required: Yes

Instructions:

1. Open System Settings > General > Software Update. 2. Install available updates. 3. Restart device when prompted.

🔧 Temporary Workarounds

Browser Isolation

all

Use separate browser profiles or containers for different security contexts

Disable JavaScript

all

Temporarily disable JavaScript for untrusted sites

🧯 If You Can't Patch

Implement strict network segmentation to isolate browser traffic
Use application allowlisting to restrict which websites users can access

🔍 How to Verify

Check if Vulnerable:

Check Safari version in Safari > About Safari, or system version in Settings > General > About

Check Version:

On macOS: sw_vers; On iOS/iPadOS: Check in Settings > General > About

Verify Fix Applied:

Verify version numbers match or exceed patched versions listed in fix_official.patch_version

📡 Detection & Monitoring

Log Indicators:

Unusual cross-origin requests in web server logs
Multiple failed same-origin policy violations in browser logs

Network Indicators:

Unexpected cross-domain requests from single user sessions
Suspicious iframe or script loading patterns

SIEM Query:

web.url CONTAINS malicious-domain AND web.referrer CONTAINS sensitive-domain

📊 Metadata

CVE ID: CVE-2025-30466

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-346

EPSS Score: 0.05% exploit probability (15.1th percentile)

Published: May 29, 2025

Last Updated: June 2, 2025

🔗 References

https://support.apple.com/en-us/122371 Release Notes,Vendor Advisory
https://support.apple.com/en-us/122373 Release Notes,Vendor Advisory
https://support.apple.com/en-us/122378 Release Notes,Vendor Advisory
https://support.apple.com/en-us/122379 Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-30466, you might also want to check these: