Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-44309

CVE-2024-44309: Apple Safari Cookie Management XSS Flaw

CVE-2024-44309 is a cross-site scripting vulnerability in Apple Safari caused by a cookie management flaw. Actively exploited on Intel Macs, it allows XSS attacks via malicious web content. This article covers technical details, affected versions, impact, and mitigation.

Updated:

CVE-2024-44309 Overview

CVE-2024-44309 is a cookie management vulnerability in Apple Safari and related Apple operating systems that enables cross-site scripting (XSS) attacks [CWE-79]. Processing maliciously crafted web content can trigger the flaw, allowing an attacker to execute script in the context of a trusted site. Apple has acknowledged reports of active exploitation on Intel-based Mac systems, and the Cybersecurity and Infrastructure Security Agency (CISA) has added the issue to its Known Exploited Vulnerabilities catalog. Apple resolved the defect through improved state management in Safari 18.1.1, iOS 17.7.2, iPadOS 17.7.2, iOS 18.1.1, iPadOS 18.1.1, macOS Sequoia 15.1.1, and visionOS 2.1.1.

Critical Impact

Active exploitation observed on Intel-based Mac systems. Successful exploitation enables cross-site scripting against users who view attacker-controlled web content.

Affected Products

  • Apple Safari prior to 18.1.1
  • Apple iOS and iPadOS prior to 17.7.2 and 18.1.1
  • Apple macOS Sequoia prior to 15.1.1 and Apple visionOS prior to 2.1.1
  • Debian Linux 11 (webkit2gtk components)

Discovery Timeline

  • 2024-11-20 - CVE-2024-44309 published to the National Vulnerability Database
  • 2024-11-20 - Apple releases security updates across Safari, iOS, iPadOS, macOS, and visionOS
  • 2024-12 - Debian LTS publishes corresponding webkit2gtk advisory
  • 2026-04-03 - Last updated in NVD database

Technical Details for CVE-2024-44309

Vulnerability Analysis

The defect resides in WebKit's cookie management logic, where inconsistent state handling allows attacker-controlled content to influence cookie scoping or attribute enforcement. When a victim renders a malicious page, the flawed state transitions enable script content from one origin to operate against another, satisfying the conditions for cross-site scripting [CWE-79].

Apple's advisory notes the issue was addressed with improved state management, indicating the underlying defect involved transitions between cookie storage states that were not consistently validated. The vulnerability requires user interaction, typically through visiting a crafted page, but no privileges or prior authentication on the targeted site are needed.

The Exploit Prediction Scoring System (EPSS) places the probability of observed exploitation in the upper quartile of catalogued vulnerabilities, and CISA's inclusion in the Known Exploited Vulnerabilities catalog confirms in-the-wild use against Intel-based Macs.

Root Cause

The root cause is improper state management within WebKit's cookie subsystem. State transitions associated with cookie attributes or scoping were not consistently enforced, allowing script content rendered by Safari and other WebKit consumers to break the same-origin boundaries the browser intended to maintain.

Attack Vector

Exploitation occurs over the network through user interaction. An attacker hosts or injects malicious content on a page the victim visits using a vulnerable WebKit-based browser. Once the page is processed, the cookie state mishandling triggers script execution in an unintended security context, enabling session theft, account takeover, or further client-side compromise. Apple has confirmed observation of attacks targeting Intel Macs.

No public proof-of-concept code has been released, and Apple's advisory does not describe the technical specifics. Further information is available in the Apple Support Article 121752 and the Full Disclosure Mailing List Nov 2024 post.

Detection Methods for CVE-2024-44309

Indicators of Compromise

  • Safari or WebKit-based browser versions below 18.1.1 reachable from managed inventory queries
  • macOS, iOS, iPadOS, or visionOS endpoints running builds older than the fixed releases listed in the Apple Support Article 121755
  • Unexpected cross-origin script execution, anomalous cookie writes, or session token reuse from unfamiliar IP addresses following web browsing activity

Detection Strategies

  • Inventory all macOS, iOS, iPadOS, and visionOS devices and compare installed versions against the patched builds. Flag Intel-based Macs that have not received Safari 18.1.1.
  • Monitor proxy and web gateway logs for visits to domains flagged in threat intelligence feeds tied to the November 2024 WebKit campaign.
  • Correlate browser process telemetry with subsequent authentication anomalies on SaaS applications to identify session hijacking attempts.

Monitoring Recommendations

  • Continuously ingest endpoint version data into a centralized inventory to track patch coverage for Safari and WebKit-based clients.
  • Alert on outbound traffic from Safari to newly registered or low-reputation domains, particularly from macOS hosts running Intel CPUs.
  • Watch identity providers for cookie or session reuse anomalies that follow Safari browsing sessions on unpatched endpoints.

How to Mitigate CVE-2024-44309

Immediate Actions Required

  • Update Safari to 18.1.1, iOS and iPadOS to 17.7.2 or 18.1.1, macOS Sequoia to 15.1.1, and visionOS to 2.1.1 without delay.
  • Prioritize Intel-based Macs given confirmed in-the-wild exploitation against that hardware class.
  • On Debian 11 systems, apply the webkit2gtk update from the Debian LTS Announcement Dec 2024.
  • Invalidate active web sessions and rotate credentials for high-value accounts accessed from potentially exposed endpoints.

Patch Information

Apple shipped fixes in Safari 18.1.1, iOS 17.7.2, iPadOS 17.7.2, iOS 18.1.1, iPadOS 18.1.1, macOS Sequoia 15.1.1, and visionOS 2.1.1. Release notes are available across Apple Support Article 121752, Apple Support Article 121753, Apple Support Article 121754, Apple Support Article 121755, and Apple Support Article 121756. CISA's catalog entry is documented at the CISA Known Exploited Vulnerability CVE-2024-44309 page.

Workarounds

  • Restrict use of Safari and other WebKit-based browsers on unpatched endpoints until updates are installed.
  • Enforce strict cookie policies (SameSite=Strict, HttpOnly, Secure) and a hardened Content Security Policy on internally controlled web applications to reduce XSS impact.
  • Block known malicious domains at the web proxy and DNS layer while patch deployment completes.
bash
# Verify Safari version on macOS
mdls -name kMDItemVersion /Applications/Safari.app

# Trigger Apple software update check
sudo softwareupdate --list
sudo softwareupdate --install --all --restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.