CVE-2025-55177

Published: Aug 29, 2025Modified: Oct 24, 2025CISA KEV

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: cve-assign@fb.com (Secondary)

Description

Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.

Affected (3)

Products: Whatsapp: Whatsapp, Whatsapp Business

2 products

Whatsapp Business

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Whatsapp Whatsapp	From 2.22.25.2 to 2.25.21.73
Whatsapp Whatsapp	From 2.22.25.2 to 2.25.21.78
Whatsapp Whatsapp Business	From 2.22.25.2 to 2.25.21.78

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (3)

https://www.facebook.com/security/advisories/cve-2025-55177

Source: cve-assign@fb.com

Vendor Advisory

https://www.whatsapp.com/security/advisories/2025/

Source: cve-assign@fb.com

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55177

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

US Government Resource

Timeline

No history available yet.