CRITICAL🇵🇱 Wersja polska

CVE-2025-30457

CVSS 9.8v3.1pub. 2025-03-31upd. 2026-04-02

This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5. A malicious app may be able to create symlinks to protected regions of the disk.

🤖 AI Analysis
How it works

The issue results from insufficient symlink validation (CWE-59 — Improper Link Resolution Before File Access). A malicious application could create symbolic links pointing to disk areas protected by the system. Apple eliminated the vulnerability by strengthening the symlink verification mechanism.

Impact

An attacker, using a malicious application installed on the victim's device, can gain unauthorized access to protected system files or directories, which may lead to disclosure of sensitive data, modification of system files, or system destabilization.

Mitigation & patch

The system should be updated to macOS Sequoia 15.4, macOS Sonoma 14.7.5, or macOS Ventura 13.7.5. Details are available in Apple's guidance: https://support.apple.com/en-us/122373, https://support.apple.com/en-us/122374, https://support.apple.com/en-us/122375.

Who is affected

Apple macOS Sequoia versions prior to 15.4, macOS Sonoma versions prior to 14.7.5, macOS Ventura versions prior to 13.7.5.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apple macOS

    OS
    Apple
    < 13.7.514.0 – 14.7.5 (bez)15.0 – 15.4 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-43300CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu

CVE-2025-31201CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach

CVE-2025-31200CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple — memory corruption (RCE) w przetwarzaniu strumieni audio

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki