CVE-2025-24201

What is Apple WebKit?

WebKit is Apple's open-source web rendering engine, used by Safari, all iOS/iPadOS browsers (which are required by Apple policy to use WebKit), and many applications that display web content on Apple platforms. WebKit's Web Content process renders HTML, CSS, JavaScript, and media in a sandboxed environment separate from the main browser process. A vulnerability that allows escape from the Web Content sandbox — the "renderer" — is a high-value primitive for attackers, enabling code execution that crosses from the web sandboxed context into the broader application or OS environment. Because all iOS browsers use WebKit, a WebKit sandbox escape affects every browser on every iPhone and iPad.

Overview

CVE-2025-24201 is a maximum-severity out-of-bounds write vulnerability (CWE-787, CVSS 10.0) in Apple WebKit. Maliciously crafted web content can trigger an out-of-bounds write in the Web Content process, breaking out of the Web Content sandbox. Apple described this as a supplement to a fix in iOS 17.2 — indicating the vulnerability was related to an earlier sandbox escape issue that was not fully addressed. The vulnerability was used in "an extremely sophisticated attack" before Apple's March 11, 2025 emergency patch. CISA added it to the KEV catalog two days after the patch.

Affected Versions

Note: Apple described this as "an additional fix" supplementing the iOS 17.2 patch, suggesting the original vulnerability was partially mitigated but not fully resolved until 18.3.2.

Technical Details

The vulnerability (CWE-787: Out-of-Bounds Write) is in WebKit's rendering engine. When processing specially crafted HTML/JavaScript/CSS content, WebKit performs an out-of-bounds write to heap memory outside the intended buffer. This memory corruption can be used to overwrite security-critical data in the Web Content process and break out of the process sandbox — executing code with greater privileges than a sandboxed renderer should have (Scope:Changed, S:C).

Because all web browsers on iOS and iPadOS are required to use WebKit (per Apple's App Store policies), this vulnerability affects Google Chrome, Firefox, Microsoft Edge, and every other browser on iOS/iPadOS — not just Safari.

Apple noted the fix was "a supplement" to an earlier patch from iOS 17.2, indicating attackers may have re-exploited or bypassed the original fix with a variant that remained in iOS 18.x until 18.3.2.

Discovery

Reported internally by Apple; no external researcher credited. Apple confirmed it was used in "an extremely sophisticated attack."

Exploitation Context

Apple confirmed CVE-2025-24201 was "exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2." The use of language like "extremely sophisticated" and the emergency patch release pattern are consistent with government-grade spyware (Pegasus-class). CISA added the CVE to the KEV catalog on 13 March 2025 — two days after the patch. The patch was released on a Tuesday (March 11), outside Apple's typical major update schedule, reflecting urgency.

Remediation

1. Update immediately: iOS/iPadOS 18.3.2, macOS Sequoia 15.3.2, Safari 18.3.2, visionOS 2.3.2.
2. All iOS browsers are affected — updating iOS/iPadOS updates WebKit for all browsers on the device, not just Safari.
3. Enable automatic updates for all Apple devices.
4. For high-risk individuals: enable Apple Lockdown Mode to restrict WebKit's attack surface and prevent web-based zero-click delivery.
5. Enterprise fleets: push the update via MDM and verify compliance within the CISA deadline.