Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-31225

CVE-2025-31225: Apple iPadOS Information Disclosure Flaw

CVE-2025-31225 is an information disclosure vulnerability in Apple iPadOS where call history from deleted apps may persist in Spotlight search. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-31225 Overview

CVE-2025-31225 is an information disclosure vulnerability affecting Apple iOS and iPadOS. Spotlight search retains and displays call history entries from applications that users have deleted from the device. Apple addressed the issue by removing the sensitive data in iOS 18.5 and iPadOS 18.5.

The flaw maps to CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. An attacker with local access to an unlocked device can recover historical communication metadata that the user expected to be removed alongside the originating application.

Critical Impact

Call history from deleted third-party applications remains accessible through Spotlight search, exposing communication metadata after the user intended to remove it.

Affected Products

  • Apple iOS versions prior to 18.5
  • Apple iPadOS versions prior to 18.5
  • iPhone and iPad devices running affected operating system builds

Discovery Timeline

  • 2025-05-12 - CVE-2025-31225 published to the National Vulnerability Database
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-31225

Vulnerability Analysis

The vulnerability resides in how Spotlight indexes and retains data contributed by installed applications. Spotlight maintains a system-wide index of content donated by apps through CoreSpotlight and related frameworks. When a user deletes an application, the system is expected to purge associated indexed data, including call history entries donated by Voice over IP (VoIP) and messaging apps.

In affected iOS and iPadOS releases, call history records persist in the Spotlight index after the donor application is uninstalled. A local user querying Spotlight can surface call entries referencing contacts, timestamps, and metadata tied to applications no longer present on the device. The flaw is a privacy and information exposure issue rather than a memory safety defect.

The vulnerability is classified under CWE-200 for exposure of sensitive information. Confidentiality impact is high because call metadata can reveal personal contacts, communication patterns, and prior use of privacy-focused applications.

Root Cause

The root cause is incomplete cleanup of Spotlight-indexed records during application uninstallation. The Spotlight subsystem failed to delete call history items donated by removed apps, leaving stale references queryable through the search interface.

Attack Vector

Exploitation requires local interaction with an unlocked device. An attacker performs a Spotlight search using terms that match contact names, phone numbers, or call-related keywords. The system returns matching call history entries even when the originating application has been removed.

No verified proof-of-concept code is published for this issue. Refer to the Apple Support Article for vendor details and the Full Disclosure Security Announcement for the public security notice.

Detection Methods for CVE-2025-31225

Indicators of Compromise

  • Spotlight search results returning call entries linked to applications no longer installed on the device
  • Presence of CoreSpotlight index entries referencing bundle identifiers of uninstalled VoIP or messaging apps
  • Device running iOS or iPadOS versions earlier than 18.5

Detection Strategies

  • Inventory managed iOS and iPadOS devices through Mobile Device Management (MDM) and flag any running builds prior to 18.5
  • Audit Spotlight search behavior on test devices by installing a calling app, generating call history, uninstalling the app, and querying Spotlight for residual entries
  • Correlate MDM compliance telemetry with the Apple security advisory to prioritize remediation

Monitoring Recommendations

  • Enable MDM policies that report installed OS build numbers and enforce minimum version 18.5
  • Track application install and uninstall events on managed devices to identify privacy-sensitive apps subject to residual indexing
  • Review Apple security advisories and integrate published CVE identifiers into vulnerability management workflows

How to Mitigate CVE-2025-31225

Immediate Actions Required

  • Update all iPhone and iPad devices to iOS 18.5 or iPadOS 18.5 or later
  • Push the update through MDM with enforced compliance deadlines for managed fleets
  • Instruct users who previously deleted calling applications to verify Spotlight no longer returns residual call entries after updating

Patch Information

Apple fixed the issue in iOS 18.5 and iPadOS 18.5 by removing the sensitive data from the Spotlight index. Details are published in the Apple Support Article. Apply the update through Settings, Software Update, or via MDM-managed deployment.

Workarounds

  • Disable Spotlight indexing for third-party applications under Settings, Siri & Search for each privacy-sensitive app prior to uninstallation
  • Reset the device or perform a clean restore if residual call history must be removed before patching is feasible
  • Restrict physical access to unlocked devices through screen lock policies and biometric authentication enforced via MDM
bash
# MDM compliance check example - enforce minimum iOS/iPadOS version 18.5
# Example configuration profile key (PayloadType: com.apple.softwareupdate)
#   AllowStandardUserOSUpdates: true
#   TargetOSVersion: 18.5

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne