CVE-2025-24180 Overview
CVE-2025-24180 is an input validation vulnerability affecting Apple's WebAuthn implementation across multiple platforms including Safari, iOS, iPadOS, macOS Sequoia, visionOS, and watchOS. The vulnerability allows a malicious website to claim WebAuthn credentials from another website that shares a registrable suffix, potentially enabling credential theft and authentication bypass attacks.
WebAuthn (Web Authentication) is a critical security standard used for passwordless authentication and multi-factor authentication. This vulnerability undermines the core security guarantees of WebAuthn by allowing cross-origin credential access through improper validation of website origins that share common domain suffixes.
Critical Impact
A malicious website can claim WebAuthn credentials from other websites sharing a registrable suffix, potentially allowing attackers to hijack passkey-based authentication and compromise user accounts without user awareness.
Affected Products
- Apple Safari versions prior to 18.4
- Apple iOS and iPadOS versions prior to 18.4
- Apple macOS Sequoia versions prior to 15.4
- Apple visionOS versions prior to 2.4
- Apple watchOS versions prior to 11.4
Discovery Timeline
- 2025-03-31 - CVE-2025-24180 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2025-24180
Vulnerability Analysis
This vulnerability stems from improper input validation in Apple's WebAuthn credential handling mechanism. The WebAuthn API is designed to bind credentials to specific origins (websites) to prevent credential sharing across different sites. However, the flawed validation logic in affected Apple products allows websites sharing a "registrable suffix" (such as a common top-level domain or public suffix) to improperly access credentials belonging to other origins.
The CWE-601 (URL Redirection to Untrusted Site) classification indicates the vulnerability involves improper handling of URL-based security boundaries. In this context, the WebAuthn implementation fails to properly validate and enforce origin isolation, treating websites with similar domain structures as equivalent for credential access purposes.
The attack requires user interaction (visiting a malicious website), but once a user visits the attacker-controlled site, the credential theft can occur transparently without additional user awareness.
Root Cause
The root cause is insufficient input validation in the origin comparison logic used by Apple's WebAuthn implementation. When validating whether a credential belongs to a requesting origin, the implementation incorrectly accepts origins that share a common registrable suffix rather than requiring an exact origin match.
For example, if a user registers a WebAuthn credential with legitimate-bank.com, a malicious site like attacker-bank.com sharing the .com suffix could potentially claim access to those credentials due to the improper suffix-based validation.
Attack Vector
The attack is network-based and requires user interaction. An attacker would:
- Set up a malicious website with a domain that shares a registrable suffix with the target site
- Lure victims to visit the malicious website through phishing or other social engineering techniques
- The malicious site invokes WebAuthn APIs to request credentials
- Due to the improper validation, credentials from legitimate sites sharing the suffix become accessible
- The attacker captures the credential assertion, potentially enabling authentication bypass on the victim's accounts
The attack targets the confidentiality and integrity of user authentication credentials, with no direct availability impact. The network attack vector with low complexity but required user interaction makes this a realistic threat for targeted attacks.
Detection Methods for CVE-2025-24180
Indicators of Compromise
- Unexpected WebAuthn credential access requests from unfamiliar origins in browser logs
- Authentication events from unusual geographic locations or devices following visits to suspicious websites
- User reports of being redirected to unfamiliar sites that requested passkey authentication
- WebAuthn API calls to credential endpoints from domains not associated with the registered credential origin
Detection Strategies
- Monitor WebAuthn API usage patterns for anomalous credential access attempts across different origins
- Implement server-side logging of WebAuthn authentication attempts including full origin information
- Deploy browser extensions or endpoint protection that alerts on WebAuthn requests from suspicious domains
- Analyze network traffic for patterns of users visiting sites that subsequently trigger credential requests
Monitoring Recommendations
- Enable detailed logging on authentication systems to capture WebAuthn credential usage with full origin context
- Implement anomaly detection for authentication patterns that deviate from user baselines
- Monitor for reports of this vulnerability being exploited in the wild through threat intelligence feeds
- Review Apple security advisories at Apple Support Document #122371 and related advisories for updates
How to Mitigate CVE-2025-24180
Immediate Actions Required
- Update Safari to version 18.4 or later immediately
- Update iOS and iPadOS devices to version 18.4 or later
- Update macOS Sequoia to version 15.4 or later
- Update visionOS devices to version 2.4 or later
- Update watchOS to version 11.4 or later
- Educate users about the risks of visiting untrusted websites, especially those requesting passkey authentication
Patch Information
Apple has addressed this vulnerability with improved input validation in the following releases:
- Safari 18.4 - Apple Support Document #122371
- iOS 18.4 and iPadOS 18.4 - Apple Support Document #122373
- macOS Sequoia 15.4 - Apple Support Document #122378
- visionOS 2.4 - Apple Support Document #122379
Organizations should prioritize deployment of these updates across all managed Apple devices. Enterprise environments using Mobile Device Management (MDM) solutions should push these updates through managed deployment channels.
Workarounds
- Until patches can be applied, advise users to exercise caution when visiting unfamiliar websites
- Consider temporarily using alternative browsers that are not affected by this vulnerability for sensitive authentication
- Implement additional authentication factors beyond WebAuthn where possible as a defense-in-depth measure
- Review and audit existing WebAuthn credential registrations for any suspicious activity
# Verify Safari version on macOS
/Applications/Safari.app/Contents/MacOS/Safari --version
# Check macOS version
sw_vers -productVersion
# Verify iOS/iPadOS version via MDM query or Settings > General > About
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
