CVE-2025-31182 | This issue was addressed with improved handling of symlinks.… | CVSS 9.8 CRITICAL

Description

This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 18.4 and iPadOS 18.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4, watchOS 11.4. An app may be able to delete files for which it does not have permission.

Metadata

CVE ID: CVE-2025-31182
State: PUBLISHED
Assigner: apple
Reserved: 2025-03-27 16:13 UTC
Published: 2025-03-31 22:22 UTC
Last updated: 2026-04-02 18:12 UTC
Primary CWE: CWE-862
CWE-862 Missing Authorization
Vendor / Product: Apple / iOS and iPadOS
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (5)

Vendor	Product	Platform	Versions
Apple	iOS and iPadOS	—	0 < 18.4
Apple	macOS	—	0 < 13.7.5, 0 < 14.7.5, 0 < 15.4
Apple	tvOS	—	0 < 18.4
Apple	visionOS	—	0 < 2.4
Apple	watchOS	—	0 < 11.4

Weakness (CWE)

CWE	Source	Description
—	cna	An app may be able to delete files for which it does not have permission
CWE-862	adp	CWE-862 Missing Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (7)