Security Vulnerability Report
中文
CVE-2025-43376 CVSS 7.5 HIGH

CVE-2025-43376

Published: 2025-11-04 02:15:45
Last Modified: 2026-04-02 19:20:36
Source: [email protected]

Description

A logic issue was addressed with improved state management. This issue is fixed in Safari 26, iOS 18.7.7 and iPadOS 18.7.7, iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. A remote attacker may be able to view leaked DNS queries with Private Relay turned on.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:* - VULNERABLE
Safari < 26
iOS < 18.7.7
iPadOS < 18.7.7
iOS < 26
iPadOS < 26
macOS Tahoe < 26
tvOS < 26
visionOS < 26
watchOS < 26

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-43376 PoC - DNS Query Leak via Private Relay // This PoC demonstrates the DNS query leak vulnerability in Apple Private Relay const http = require('http'); // Simulate DNS query monitoring function monitorDNSLeak() { console.log('[+] CVE-2025-43376: DNS Query Leak PoC'); console.log('[+] Target: Apple Private Relay'); // Step 1: Detect if Private Relay is enabled const checkPrivateRelay = () => { console.log('[+] Checking Private Relay status...'); // In real scenario, this would check iCloud Private Relay settings return true; }; // Step 2: Trigger DNS queries through Private Relay const triggerDNSQuery = (domain) => { console.log(`[+] Triggering DNS query for: ${domain}`); // Simulate DNS query through Private Relay return { query: domain, leaked: true, // Vulnerability allows leak timestamp: new Date().toISOString() }; }; // Step 3: Capture leaked DNS information const captureLeakedInfo = (queryResult) => { console.log('[+] Capturing leaked DNS information:'); console.log(` Domain: ${queryResult.query}`); console.log(` Timestamp: ${queryResult.timestamp}`); console.log('[+] DNS query successfully leaked!'); }; // Execute attack if (checkPrivateRelay()) { const domains = ['example.com', 'malicious-site.com', 'bank.com']; domains.forEach(domain => { const result = triggerDNSQuery(domain); captureLeakedInfo(result); }); } } monitorDNSLeak();

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-43376", "sourceIdentifier": "[email protected]", "published": "2025-11-04T02:15:44.710", "lastModified": "2026-04-02T19:20:35.927", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A logic issue was addressed with improved state management. This issue is fixed in Safari 26, iOS 18.7.7 and iPadOS 18.7.7, iOS 26 and iPadOS 26, macOS Tahoe 26, tvOS 26, visionOS 26, watchOS 26. A remote attacker may be able to view leaked DNS queries with Private Relay turned on."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.0", "matchCriteriaId": "213D326D-D8FB-4C0B-B3C9-D44E359F5765"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.0", "matchCriteriaId": "C4221CFD-0208-42B8-AACA-1BE6AEC3BA9A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.0", "matchCriteriaId": "68DCA17A-424E-4EE3-B005-0F2E42407226"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.0", "matchCriteriaId": "E33744A8-68C0-4822-B08E-100911C18404"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.0", "matchCriteriaId": "66CF3395-7CC9-41FD-8419-815AC6022191"}]}]}], "references": [{"url": "https://support.apple.com/en-us/125108", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125110", "source": "[email protected]"}, {"url": "https://support.apple.com/en-us/125113", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125114", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125115", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125116", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/126793", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.