The issue was addressed with improved checks. This issue is fixed in watchOS 11.5, tvOS 18.5, iOS 18.5 and iPadOS 18.5, macOS Sequoia 15.5, visionOS 2.5, Safari 18.5. A malicious website may exfiltrate data cross-origin.
Weakness
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Safari | Apple | * | 18.5 (excluding) |
| Ipados | Apple | * | 18.5 (excluding) |
| Iphone_os | Apple | * | 18.5 (excluding) |
| Macos | Apple | * | 15.5 (excluding) |
| Tvos | Apple | * | 18.5 (excluding) |
| Visionos | Apple | * | 2.5 (excluding) |
| Watchos | Apple | * | 11.5 (excluding) |
| Red Hat Enterprise Linux 7 Extended Lifecycle Support | RedHat | webkitgtk4-0:2.48.3-2.el7_9 | * |
| Red Hat Enterprise Linux 8 | RedHat | webkit2gtk3-0:2.48.2-1.el8_10 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | webkit2gtk3-0:2.48.2-1.el8_4 | * |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | RedHat | webkit2gtk3-0:2.48.2-1.el8_6 | * |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | RedHat | webkit2gtk3-0:2.48.2-1.el8_6 | * |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | RedHat | webkit2gtk3-0:2.48.2-1.el8_6 | * |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | RedHat | webkit2gtk3-0:2.48.2-1.el8_8 | * |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | RedHat | webkit2gtk3-0:2.48.2-1.el8_8 | * |
| Red Hat Enterprise Linux 9 | RedHat | webkit2gtk3-0:2.48.2-1.el9_6 | * |
| Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions | RedHat | webkit2gtk3-0:2.48.2-1.el9_0 | * |
| Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions | RedHat | webkit2gtk3-0:2.48.2-1.el9_2 | * |
| Red Hat Enterprise Linux 9.4 Extended Update Support | RedHat | webkit2gtk3-0:2.48.2-1.el9_4 | * |
| Qtwebkit-opensource-src | Ubuntu | esm-apps/bionic | * |
| Qtwebkit-opensource-src | Ubuntu | esm-apps/focal | * |
| Qtwebkit-opensource-src | Ubuntu | esm-apps/jammy | * |
| Qtwebkit-opensource-src | Ubuntu | esm-apps/noble | * |
| Qtwebkit-opensource-src | Ubuntu | esm-infra/xenial | * |
| Qtwebkit-opensource-src | Ubuntu | focal | * |
| Qtwebkit-opensource-src | Ubuntu | jammy | * |
| Qtwebkit-opensource-src | Ubuntu | noble | * |
| Qtwebkit-opensource-src | Ubuntu | oracular | * |
| Qtwebkit-source | Ubuntu | esm-apps/bionic | * |
| Qtwebkit-source | Ubuntu | esm-apps/xenial | * |
| Webkit2gtk | Ubuntu | devel | * |
| Webkit2gtk | Ubuntu | esm-infra/bionic | * |
| Webkit2gtk | Ubuntu | esm-infra/focal | * |
| Webkit2gtk | Ubuntu | esm-infra/xenial | * |
| Webkit2gtk | Ubuntu | focal | * |
| Webkit2gtk | Ubuntu | jammy | * |
| Webkit2gtk | Ubuntu | noble | * |
| Webkit2gtk | Ubuntu | oracular | * |
| Webkit2gtk | Ubuntu | plucky | * |
| Webkit2gtk | Ubuntu | upstream | * |
| Webkitgtk | Ubuntu | esm-apps/bionic | * |
| Webkitgtk | Ubuntu | esm-apps/xenial | * |
| Wpewebkit | Ubuntu | esm-apps/focal | * |
| Wpewebkit | Ubuntu | esm-apps/jammy | * |
| Wpewebkit | Ubuntu | focal | * |
| Wpewebkit | Ubuntu | jammy | * |
Potential Mitigations
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330]
- Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
- Use the “double-submitted cookie” method as described by Felten and Zeller:
- When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user’s machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same.
- Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult.
- This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331]
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/111.html
- https://cwe.mitre.org/data/definitions/462.html
- https://cwe.mitre.org/data/definitions/467.html
- https://cwe.mitre.org/data/definitions/62.html
References
- https://support.apple.com/en-us/122404
- https://support.apple.com/en-us/122716
- https://support.apple.com/en-us/122719
- https://support.apple.com/en-us/122720
- https://support.apple.com/en-us/122721
- https://support.apple.com/en-us/122722
- http://seclists.org/fulldisclosure/2025/May/10
- http://seclists.org/fulldisclosure/2025/May/12
- http://seclists.org/fulldisclosure/2025/May/13
- http://seclists.org/fulldisclosure/2025/May/5
- http://seclists.org/fulldisclosure/2025/May/7
- https://lists.debian.org/debian-lts-announce/2025/06/msg00016.html