CVE-2025-55177
CVE-2025-55177
In short
WhatsApp for iOS and Mac had a flaw where unverified synchronization messages could trick a device into processing content from any website an attacker controls. This could be exploited alongside other Apple system vulnerabilities to attack specific users.
Technical detail
The vulnerability stems from incomplete authorization checks on linked device synchronization messages, allowing an unauthenticated attacker to inject arbitrary URLs for processing on a target device. Exploitation requires combining this flaw with CVE-2025-43300 (OS-level Apple vulnerability) to achieve impact in targeted attacks; the attack vector is network-based through malicious synchronization messages.
Summary generated and translated by AI from the official description.
Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C
Affected products
Facebook · WhatsApp Business for iOSFacebook · WhatsApp Desktop for MacFacebook · WhatsApp for iOSpublic PoCs found — 1
githubgithub.com/danielw98/zero-click-exploit-analysis★ 2⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →