CVE-2025-43191: Path Traversal
Published Jul 29, 2025
·Updated
A path handling issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to cause a denial-of-service.
Credit
Ryan Dowd@@_rdowd, Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), ABC Research s.r.o., Mickey Jin@@patch1t, Noah Gregory (wts.dev), Andreas Jaegersberger & Ro Achterberg(Nosebeard Labs), an anonymous researcher, Gergely Kalman@@gergely_kalman, 风沐云烟@@binary_fmyy, Minghao Lin@@Y1nKoc, 2ourc3 | Salim Largo, Dawuge(Shuffle Team), Anonymous(Trend Micro Zero Day Initiative), Gary Kwong(Trend Micro Zero Day Initiative), CVE-2025-43226, Christian Kohlschütter, Ivan Fratric(Google Project Zero), Pyrophoria, Csaba Fitzl@@theevilbit(Kandji), Minghao Lin, Jiaxun Zhu, Kirin@@Pwnrin, Zhongquan Li@@Guluisacat, Koh M. Nakagawa@@tsunek0h(Kandji), Wojciech Regula(SecuRing), Yuebin Sun@@yuebinsun2020, Shang-De Jiang(CyCraft Technology), Kazma Ye(CyCraft Technology), Nikolai Skliarenko(Trend Micro Zero Day Initiative), Mickey Jin@@patch1t(Team Orca of Sea Security), Keith Yeo@@kyeojy(Team Orca of Sea Security), Martti Hütt, Tony Iskow@@Tybbow, MRHAX, Aditya Rana, Google's Threat Analysis Group, Seo Hyun-gyu@@wh1te4ever(Xiaomi), Dora Orak(Xiaomi), Minghao Lin@@Y1nKoc(Xiaomi), XiLong Zhang@@Resery4(Xiaomi), noir@@ROIS, fmyy (@风沐云烟), Chi Yuan Chang(ZUSO ART), taikosoup, Willey Lin, Arsenii Kostromin (0x3c3e), Brian Carpenter, Sergei Glazunov(Google Project Zero), Dora Orak, Vlad Stolyarov(Google's Threat Analysis Group), Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), an anonymous researcher(Loadshine Lab), Hikerell(Loadshine Lab), @@zlluny, CVE-2025-6965, Martin Bajanik(Fingerprint), Ammar Askar, Gilad Moav, Yehuda Afek, Anat Bremler-Barr, Amit Klein, Yuhao Hu, Yan Kang, Chenggang Wu, Xiaojie Wei, Syarif Muhammad Sajjad, shandikri(Trend Micro Zero Day Initiative), Google V8 Security Team, Nan Wang@@eternalsakura13, Ziling Chen, HexRabbit@@h3xr4bb1t(DEVCORE Research Team), Ignacio Sanmillan@@ulexec, Clément Lecigne(Google's Threat Analysis Group), Jonathan Bar Or@@yo_yo_yo_jbo(Microsoft)
Affected Software
6 affected componentsFixes available
Apple macOS Ventura<13.7.7
13.7.7
Apple macOS Sequoia<15.6
15.6
Apple macOS Sonoma<14.7.7
14.7.7
Apple macOS<13.7.7
Apple macOS>=14.0<14.7.7
Apple macOS>=15.0<15.6
Event History
Jul 29, 2025
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
Affected Software
CVE Published
via MITRE·11:54 PM
Data Sourced
via MITRE·11:54 PM
DescriptionWeakness
Jul 30, 2025
Data Sourced
via NVD·12:15 AM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2025-43191?
CVE-2025-43191 is classified as a denial-of-service vulnerability.
2
How do I fix CVE-2025-43191?
To fix CVE-2025-43191, users should update to macOS Sequoia 15.6, macOS Sonoma 14.7.7, or macOS Ventura 13.7.7.
3
Which versions of macOS are affected by CVE-2025-43191?
CVE-2025-43191 affects macOS Ventura up to version 13.7.7, macOS Sequoia up to version 15.6, and macOS Sonoma up to version 14.7.7.
4
What type of issue is CVE-2025-43191?
CVE-2025-43191 is a path handling issue that was addressed with improved validation.
5
Is there a workaround for CVE-2025-43191?
Currently, there are no documented workarounds for CVE-2025-43191; updating to a fixed version is recommended.