CVE-2025-43480: 
Apple Safari vulnerability analysis and mitigation

CVE-2025-43480 is a security vulnerability discovered in Apple's WebKit browser engine that affects multiple Apple operating systems and devices. The vulnerability was disclosed on November 3, 2025, and affects Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1, iPadOS 26.1, and tvOS 26.1. The issue was discovered by security researcher Aleksejs Popovs and allows a malicious website to exfiltrate data cross-origin (Apple Support, NVD).

The vulnerability is classified as a cross-origin data exfiltration issue in WebKit (WebKit Bugzilla: 276208). The CVSS 3.1 base score is 8.1 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. The vulnerability is associated with CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The issue was addressed by implementing improved checks in the WebKit engine (NVD).

The vulnerability allows malicious websites to exfiltrate data across different origins, potentially leading to unauthorized access to sensitive information from other web applications. This cross-origin data leak could compromise user privacy and security by allowing attackers to gather information from other browser contexts (Apple Support).

Apple has addressed the vulnerability by implementing improved checks in WebKit. The fix is available in Safari 26.1, visionOS 26.1, watchOS 26.1, iOS 26.1, iPadOS 26.1, and tvOS 26.1. Users are advised to update their devices to these versions to protect against potential exploitation (Apple Support).