CRITICAL🇵🇱 Wersja polska

CVE-2025-43220

CVSS 9.8v3.1pub. 2025-07-30upd. 2025-11-03

This issue was addressed with improved validation of symlinks. This issue is fixed in iPadOS 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to access protected user data.

🤖 AI Analysis
How it works

The issue results from improper validation of symbolic links (CWE-59 — Improper Link Resolution Before File Access). A malicious or compromised application can create or exploit symlinks pointing to protected areas of the file system, to which it would normally not have access permissions. Apple resolved the issue by introducing enhanced symlink validation during file path resolution.

Impact

An attacker or malicious application can gain unauthorized access to protected user data, which may lead to disclosure of sensitive information, its modification, or destruction.

Mitigation & patch

Systems must be immediately updated to the following versions: iPadOS 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, or macOS Ventura 13.7.7. Patches are available through Apple's system update mechanism and the manufacturer's support pages referenced in the references.

Who is affected

Apple iPadOS in versions prior to 17.7.9, macOS Sequoia in versions prior to 15.6, macOS Sonoma in versions prior to 14.7.7, macOS Ventura in versions prior to 13.7.7.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apple iPadOS

    OS
    Apple
    < 17.7.9
  • Apple macOS

    OS
    Apple
    < 13.7.714.0 – 14.7.7 (bez)15.0 – 15.6 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-10585CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Type confusion w V8 (Google Chrome) — zdalne uszkodzenie sterty

CVE-2025-43300CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu

CVE-2025-31201CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach

CVE-2025-31200CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Apple — memory corruption (RCE) w przetwarzaniu strumieni audio

CVE-2025-24201CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki