How the CVE Works:
CVE-2025-30467 is a UI spoofing vulnerability in Apple Safari (up to v18.4), iOS, iPadOS, and macOS Sequoia. The flaw allows malicious websites to manipulate the address bar, displaying a fake URL while redirecting users to a phishing/scam page. Attackers exploit improper DOM event handling and insufficient URL validation during page transitions. When a user clicks a manipulated link, Safari fails to update the address bar correctly, allowing the spoofed URL to persist. This deception increases the success rate of phishing attacks by making malicious sites appear legitimate.
DailyCVE Form:
Platform: Apple Safari/iOS/iPadOS/macOS
Version: <18.4
Vulnerability: Address bar spoofing
Severity: Medium
Date: 04/04/2025
What Undercode Say:
Analytics:
- Exploitability: Low (requires user interaction)
- Attack Vector: Web-based (malicious link)
- Prevalence: Limited to unpatched Apple devices
Exploit Command:
Craft malicious HTML page with JS-based address bar spoofing
echo '<script>window.history.pushState({}, "", "/legit-page");</script>' > spoof.html
Detection (macOS Terminal):
Check Safari version defaults read /Applications/Safari.app/Contents/Info.plist CFBundleShortVersionString
Mitigation Code (WAF Rule):
Block pages with excessive history.pushState calls
location / {
if ($args ~ "history.pushState") { return 403; }
}
Patch Verification:
Verify macOS Sequoia 15.4+ sw_vers -productVersion | grep -E '15.4|18.4'
Exploit Flow:
1. User visits attacker’s page
2. JS executes `history.pushState()`
3. Address bar freezes at spoofed URL
4. User interacts with fake content
Protection Steps:
1. Update Safari/iOS/iPadOS/macOS
2. Disable JavaScript for untrusted sites
3. Use browser extensions forcing HTTPS
Debugging (Safari Console):
// Monitor URL changes
window.addEventListener("popstate", () => { console.log("URL changed:", location.href); });
References:
Impact Score: 5.4 (CVSS:4.0 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-30467
Extra Source Hub:
Undercode
