CVE-2025-43392

Dec. 17, 2025, 9:15 p.m.

4.3
Medium

Description

The issue was addressed with improved handling of caches. This issue is fixed in tvOS 26.1, watchOS 26.1, macOS Tahoe 26.1, iOS 26.1 and iPadOS 26.1, Safari 26.1, iOS 18.7.2 and iPadOS 18.7.2, visionOS 26.1. A website may exfiltrate image data cross-origin.

Product(s) Impacted

Vendor Product Versions
Apple
  • Safari
  • Ipados
  • Iphone Os
  • Tvos
  • Visionos
  • Watchos
  • *
  • *
  • *
  • *
  • *
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-524
Use of Cache Containing Sensitive Information
The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere.
CWE-942
Permissive Cross-domain Policy with Untrusted Domains
The product uses a cross-domain policy file that includes domains that should not be trusted.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a apple safari / / / / / / / /
o apple ipados / / / / / / / /
o apple iphone_os / / / / / / / /
o apple tvos / / / / / / / /
o apple visionos / / / / / / / /
o apple watchos / / / / / / / /

References

https://support.apple.com/en-us/125632
https://support.apple.com/en-us/125633
https://support.apple.com/en-us/125634
https://support.apple.com/en-us/125637
https://support.apple.com/en-us/125638
https://support.apple.com/en-us/125639
https://support.apple.com/en-us/125640

Tags

CWE-942
product-security@apple.com
CWE-524
2025-11-04
CVE-2025-43392

CVSS Score

4.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: Nov. 4, 2025, 2:15 a.m.
Last Modified: Dec. 17, 2025, 9:15 p.m.

Status : Modified

CVE has been amended by a source (CVE Primary CNA or another CNA). Analysis data supplied by the NVD may be no longer be accurate due to these changes.

More info

Source

product-security@apple.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.