CVE-2025-43220 | This issue was addressed with improved validation of symlink… | CVSS 9.8 CRITICAL

Description

This issue was addressed with improved validation of symlinks. This issue is fixed in iPadOS 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to access protected user data.

Metadata

CVE ID: CVE-2025-43220
State: PUBLISHED
Assigner: apple
Reserved: 2025-04-16 15:24 UTC
Published: 2025-07-29 23:29 UTC
Last updated: 2026-04-02 18:26 UTC
Primary CWE: CWE-59
CWE-59 Improper Link Resolution Before File Access ('Link Fo…
Vendor / Product: Apple / iPadOS
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (2)

Vendor	Product	Platform	Versions
Apple	iPadOS	—	0 < 17.7.9
Apple	macOS	—	0 < 13.7.7, 0 < 14.7.7, 0 < 15.6

Weakness (CWE)

CWE	Source	Description
—	cna	An app may be able to access protected user data
CWE-59	adp	CWE-59 Improper Link Resolution Before File Access ('Link Following')

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)