CVE-2025-30467 is a vulnerability identified in Apple Safari browsers that enables an attacker to perform address bar spoofing by crafting malicious websites. Address bar spoofing occurs when the URL displayed in the browser’s address bar is manipulated to show a different, often legitimate-looking, address than the actual site being visited. This can deceive users into trusting a malicious site, increasing the likelihood of phishing, credential theft, or malware downloads. The vulnerability stems from insufficient validation of URLs or address bar content rendering within Safari, categorized under CWE-451 (XML External Entity Injection or similar input validation issues). It affects Safari versions prior to 18.4 across Apple’s ecosystem, including iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, and watchOS 11.4. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The impact is limited to integrity (I:L) with no confidentiality or availability impact. Apple has addressed the issue by implementing improved checks to validate address bar content, preventing spoofing attempts. No public exploits or active exploitation have been reported to date. The vulnerability primarily facilitates social engineering attacks rather than direct system compromise.

The primary impact of this vulnerability is on user trust and the integrity of the browsing experience. By spoofing the address bar, attackers can impersonate legitimate websites, increasing the effectiveness of phishing campaigns and potentially leading to credential theft, financial fraud, or malware infections. Organizations relying on Apple devices for accessing sensitive information or conducting business online may face increased risk of targeted phishing attacks. While the vulnerability does not directly compromise system confidentiality or availability, the indirect consequences of successful phishing can be severe, including data breaches, unauthorized access, and reputational damage. The scope includes all users of vulnerable Safari versions across Apple’s platforms, which are widely used globally, particularly in regions with high Apple market penetration. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.

To mitigate this vulnerability, organizations and users should promptly update Safari to version 18.4 or later, and ensure their Apple devices run the corresponding OS updates (iOS 18.4, iPadOS 18.4, macOS Sequoia 15.4, watchOS 11.4). Beyond patching, organizations should implement user awareness training focused on recognizing phishing attempts and verifying URLs carefully, especially when prompted to enter credentials or sensitive information. Deploying web filtering solutions that block access to known malicious sites can reduce exposure. Security teams should monitor for suspicious web traffic patterns indicative of phishing campaigns exploiting address bar spoofing. Additionally, enabling multi-factor authentication (MFA) on critical services can limit damage from credential theft. For enterprise-managed devices, enforcing update policies and restricting installation of untrusted applications can further reduce risk. Finally, security teams should review browser security settings and consider using browser extensions that highlight URL authenticity or warn about suspicious sites.