CVE-2025-24129

Name of the Vulnerable Software and Affected Versions visionOS versions prior to 2.3 iOS versions prior to 18.3 iPadOS versions prior to 18.3 macOS Sequoia versions prior to 15.3 watchOS versions prior to 11.3 tvOS versions prior to 18.3

Description A type confusion issue was addressed with improved checks. This issue may allow a remote attacker to cause an unexpected app termination. The vulnerability is related to the AirPlay protocol and can be exploited through the /getProperty API endpoint using the POST method. Examples of attack outcomes include distracting drivers through image display and playing audio, or potentially actions like eavesdropping on conversations and tracking a vehicle's location. Crashing the AirPlay server creates an opening for a man-in-the-middle attack.

Recommendations For visionOS versions prior to 2.3, update to version 2.3 or later. For iOS versions prior to 18.3, update to version 18.3 or later. For iPadOS versions prior to 18.3, update to version 18.3 or later. For macOS Sequoia versions prior to 15.3, update to version 15.3 or later. For watchOS versions prior to 11.3, update to version 11.3 or later. For tvOS versions prior to 18.3, update to version 18.3 or later. As a temporary workaround, consider disabling the AirPlay protocol until a patch is available. Restrict access to the /getProperty API endpoint to minimize the risk of exploitation. Avoid using the POST method for the /getProperty command until the issue is resolved.