CVE-2025-31254

Published: Sep 15, 2025Modified: Nov 3, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

This issue was addressed with improved URL validation. This issue is fixed in Safari 26, iOS 26 and iPadOS 26. Processing maliciously crafted web content may lead to unexpected URL redirection.

Affected (3)

Products: Apple: Ipados, Iphone Os, Safari

3 products

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Apple Ipados	Before 26.0
Apple Iphone Os	Before 26.0
Apple Safari	Before 26.0

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (3)

https://support.apple.com/en-us/125108

Source: product-security@apple.com

Release NotesVendor Advisory

https://support.apple.com/en-us/125113

Source: product-security@apple.com

Release NotesVendor Advisory

http://seclists.org/fulldisclosure/2025/Sep/59

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.