Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-30466

CVE-2025-30466: Apple Safari Auth Bypass Vulnerability

CVE-2025-30466 is an authentication bypass vulnerability in Apple Safari that allows websites to bypass Same Origin Policy protections. This article covers the technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2025-30466 Overview

CVE-2025-30466 is a Same Origin Policy (SOP) bypass vulnerability affecting Apple Safari and WebKit-based platforms. The flaw stems from improper state management within the browser engine. A malicious website can leverage the issue to read or interact with content from another origin, undermining a fundamental browser security boundary. Apple addressed the vulnerability through improved state management in Safari 18.4, iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, and visionOS 2.4. The weakness is classified under [CWE-346] Origin Validation Error.

Critical Impact

A crafted website can bypass the Same Origin Policy, potentially exposing cross-origin data, session tokens, and authenticated user content across Safari, iOS, iPadOS, macOS, and visionOS.

Affected Products

  • Apple Safari (prior to 18.4)
  • Apple iOS and iPadOS (prior to 18.4)
  • Apple macOS Sequoia (prior to 15.4) and Apple visionOS (prior to 2.4)

Discovery Timeline

  • 2025-05-29 - CVE-2025-30466 published to the National Vulnerability Database (NVD)
  • 2026-04-02 - Last updated in NVD database

Technical Details for CVE-2025-30466

Vulnerability Analysis

The vulnerability lies in how the WebKit engine manages internal state when handling content from different origins. The Same Origin Policy enforces that scripts loaded from one origin cannot read responses or manipulate the Document Object Model (DOM) of another origin. When state tracking is inconsistent, the browser can apply the wrong origin context to a request, response, or scripting operation. Attackers can use this to access cookies, document content, or storage tied to a different origin. Exploitation requires only that a victim visits a malicious page in a vulnerable browser, with no privileges or user interaction beyond normal browsing.

Root Cause

The root cause is improper state management within WebKit during cross-origin operations, an origin validation error tracked as [CWE-346]. Inconsistent state allows origin identity to be confused, defeating the isolation guarantees the SOP is intended to provide.

Attack Vector

The attack vector is network-based and exploitable through web content. An adversary hosts a malicious page or compromises a trusted site to deliver attacker-controlled JavaScript. When a user opens the page in a vulnerable version of Safari or another WebKit-based browser on iOS, iPadOS, macOS, or visionOS, the script triggers the SOP bypass. The attacker can then read cross-origin responses from authenticated sessions the victim holds. Targets include webmail, banking, SaaS dashboards, and identity providers.

No verified public proof-of-concept code is available for this vulnerability. Refer to the vendor advisories for technical context.

Detection Methods for CVE-2025-30466

Indicators of Compromise

  • Outbound requests from browser processes to attacker-controlled domains that immediately follow visits to high-value web applications.
  • Unusual cross-origin fetch, XMLHttpRequest, or postMessage patterns originating from untrusted pages in browser telemetry.
  • Safari or WebKit process versions older than 18.4 / system versions older than iOS 18.4, iPadOS 18.4, macOS 15.4, or visionOS 2.4 on managed devices.

Detection Strategies

  • Inventory endpoints and mobile devices to identify systems running WebKit components below the patched versions.
  • Inspect web proxy and DNS logs for browsing sessions that load unfamiliar third-party scripts immediately before sensitive application access.
  • Correlate browser process activity with identity provider logs to spot session token reuse from unexpected client contexts.

Monitoring Recommendations

  • Enforce mobile device management (MDM) compliance checks that report OS and Safari versions against the patched baselines.
  • Monitor Content Security Policy (CSP) violation reports from internal web applications for unexpected cross-origin script behavior.
  • Track authentication anomalies such as concurrent session use from the same account across different network locations.

How to Mitigate CVE-2025-30466

Immediate Actions Required

  • Update all Apple endpoints to Safari 18.4, iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, and visionOS 2.4 or later.
  • Push the updates through MDM and enforce compliance for devices that access corporate web applications.
  • Re-authenticate users and rotate sensitive session cookies where exposure to a malicious site is suspected.

Patch Information

Apple released fixes through improved state management. Details and download links are available in the vendor advisories: Apple Support Document #122371, Apple Support Document #122373, Apple Support Document #122378, and Apple Support Document #122379.

Workarounds

  • Restrict use of Safari and other WebKit-based browsers on unpatched devices until updates are applied.
  • Apply strict Content-Security-Policy, Cross-Origin-Resource-Policy, and Cross-Origin-Opener-Policy headers on internally hosted applications to limit cross-origin exposure.
  • Require short session lifetimes and step-up authentication for sensitive operations until all endpoints are patched.
bash
# Verify Safari version on macOS
mdls -name kMDItemVersion /Applications/Safari.app

# Check macOS version against the patched baseline (15.4 or later)
sw_vers -productVersion

# Trigger software update check
sudo softwareupdate -l
sudo softwareupdate -ia --restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne