CVE-2025-24180 is a vulnerability in Apple Safari's implementation of WebAuthn, a web authentication standard that enables secure, passwordless login using public key cryptography. The flaw arises because Safari failed to properly validate the origin of WebAuthn credentials when websites share a registrable suffix (e.g., example.com and example.co). This improper input validation allows a malicious website to impersonate or claim WebAuthn credentials that belong to another legitimate website under the same registrable suffix. Essentially, an attacker controlling a malicious site can trick Safari into associating the victim's WebAuthn credentials with the attacker’s domain, thereby stealing or misusing these credentials. The vulnerability affects Safari on multiple Apple platforms including iOS, iPadOS, macOS Sequoia, visionOS, and watchOS prior to version 18.4 (or equivalent OS versions). The issue was resolved by Apple through improved input validation mechanisms in Safari 18.4 and corresponding OS updates released in early 2025. The CVSS 3.1 base score of 8.1 reflects the network attack vector, low attack complexity, no privileges required, but requiring user interaction, with high impact on confidentiality and integrity but no impact on availability. This vulnerability is categorized under CWE-601 (URL Redirection to Untrusted Site), indicating a logic flaw in origin validation. No known exploits have been reported in the wild as of the publication date.

The primary impact of this vulnerability is the compromise of WebAuthn credentials, which are critical for secure, passwordless authentication. If exploited, attackers can impersonate legitimate users on affected websites, gaining unauthorized access to sensitive accounts and services. This undermines the confidentiality and integrity of user authentication data, potentially leading to account takeover, data breaches, and unauthorized transactions. Organizations relying on Safari for WebAuthn-based authentication, especially those in finance, healthcare, and enterprise sectors, face increased risk of credential theft and subsequent fraud. Since the vulnerability affects multiple Apple platforms, the scope is broad, impacting users on desktops, mobile devices, and emerging platforms like visionOS. Although exploitation requires user interaction, the ease of triggering the flaw via malicious websites makes phishing or drive-by attacks feasible. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. Failure to patch promptly could result in significant reputational damage and financial loss for organizations.

Organizations and users should prioritize updating Safari to version 18.4 or later and ensure all Apple devices run the corresponding OS updates (iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, visionOS 2.4, watchOS 11.4). Beyond patching, organizations should implement strict Content Security Policies (CSP) to restrict loading of untrusted scripts and reduce exposure to malicious websites. Web developers should review their use of registrable suffixes and consider isolating WebAuthn credentials by employing site isolation techniques or subdomain segregation to minimize cross-origin risks. User education on phishing and suspicious websites can reduce the likelihood of user interaction with malicious sites. Monitoring web traffic for unusual WebAuthn requests or anomalies may help detect exploitation attempts. Additionally, organizations should consider multi-factor authentication fallback mechanisms and continuous authentication monitoring to detect unauthorized access even if credentials are compromised.