Refine your search
6 vulnerabilities found for WhatsApp for iOS by Facebook
CVE-2025-55179 (GCVE-0-2025-55179)
Vulnerability from nvd
Published
2025-11-18 13:56
Modified
2025-11-18 14:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Incorrect Authorization (CWE-863)
Summary
Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device. We have not seen evidence of exploitation in the wild.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WhatsApp Business for iOS |
Version: 2.25.8.14 ≤ |
|||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T14:22:05.852548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T14:25:08.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "WhatsApp Business for iOS",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.25.23.82",
"status": "affected",
"version": "2.25.8.14",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WhatsApp for iOS",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.25.23.73",
"status": "affected",
"version": "2.25.8.17",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WhatsApp Desktop for Mac",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.25.23.83",
"status": "affected",
"version": "2.25.8.14",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-11-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user\u2019s device. We have not seen evidence of exploitation in the wild."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Authorization (CWE-863)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T13:56:31.598Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "Meta"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55179"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.whatsapp.com/security/advisories/2025/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "Meta",
"cveId": "CVE-2025-55179",
"datePublished": "2025-11-18T13:56:31.598Z",
"dateReserved": "2025-08-08T18:21:47.119Z",
"dateUpdated": "2025-11-18T14:25:08.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55177 (GCVE-0-2025-55177)
Vulnerability from nvd
Published
2025-08-29 15:50
Modified
2025-10-21 22:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Incorrect Authorization (CWE-863)
Summary
Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WhatsApp Desktop for Mac |
Version: 2.22.25.2 ≤ |
|||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55177",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-30T03:55:35.684164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-09-02",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55177"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:45:20.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55177"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-02T00:00:00+00:00",
"value": "CVE-2025-55177 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WhatsApp Desktop for Mac",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.25.21.78",
"status": "affected",
"version": "2.22.25.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WhatsApp Business for iOS",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.25.21.78",
"status": "affected",
"version": "2.22.25.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WhatsApp for iOS",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.25.21.73",
"status": "affected",
"version": "2.22.25.2",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-08-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target\u2019s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Authorization (CWE-863)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-30T16:54:33.495Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55177"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.whatsapp.com/security/advisories/2025/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2025-55177",
"datePublished": "2025-08-29T15:50:28.578Z",
"dateReserved": "2025-08-08T18:21:47.118Z",
"dateUpdated": "2025-10-21T22:45:20.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3568 (GCVE-0-2019-3568)
Vulnerability from nvd
Published
2019-05-14 19:52
Modified
2025-10-21 23:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-122 - Heap-based Buffer Overflow ()
Summary
A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WhatsApp for Android |
Version: 2.19.134 Version: unspecified < 2.19.134 |
||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:12:09.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.facebook.com/security/advisories/cve-2019-3568"
},
{
"name": "108329",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108329"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2019-3568",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T12:56:07.366286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-04-19",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3568"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:45:37.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3568"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-04-19T00:00:00+00:00",
"value": "CVE-2019-3568 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WhatsApp for Android",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "2.19.134"
},
{
"lessThan": "2.19.134",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "WhatsApp Business for Android",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "2.19.44"
},
{
"lessThan": "2.19.134",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "WhatsApp for iOS",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "2.19.51"
},
{
"lessThan": "2.19.51",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "WhatsApp Business for iOS",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "2.19.51"
},
{
"lessThan": "2.19.51",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "WhatsApp for Windows Phone",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "2.18.348"
},
{
"lessThan": "2.18.348",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "WhatsApp for Tizen",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "2.18.15"
},
{
"lessThan": "2.18.15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2019-05-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow (CWE-122)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-13T20:57:11.000Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.facebook.com/security/advisories/cve-2019-3568"
},
{
"name": "108329",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108329"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@fb.com",
"DATE_ASSIGNED": "2019-05-09",
"ID": "CVE-2019-3568",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WhatsApp for Android",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "2.19.134"
},
{
"version_affected": "\u003c",
"version_value": "2.19.134"
}
]
}
}
]
},
"vendor_name": "Facebook"
},
{
"product": {
"product_data": [
{
"product_name": "WhatsApp Business for Android",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "2.19.44"
},
{
"version_affected": "\u003c",
"version_value": "2.19.134"
}
]
}
}
]
},
"vendor_name": "Facebook"
},
{
"product": {
"product_data": [
{
"product_name": "WhatsApp for iOS",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "2.19.51"
},
{
"version_affected": "\u003c",
"version_value": "2.19.51"
}
]
}
}
]
},
"vendor_name": "Facebook"
},
{
"product": {
"product_data": [
{
"product_name": "WhatsApp Business for iOS",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "2.19.51"
},
{
"version_affected": "\u003c",
"version_value": "2.19.51"
}
]
}
}
]
},
"vendor_name": "Facebook"
},
{
"product": {
"product_data": [
{
"product_name": "WhatsApp for Windows Phone",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "2.18.348"
},
{
"version_affected": "\u003c",
"version_value": "2.18.348"
}
]
}
}
]
},
"vendor_name": "Facebook"
},
{
"product": {
"product_data": [
{
"product_name": "WhatsApp for Tizen",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "2.18.15"
},
{
"version_affected": "\u003c",
"version_value": "2.18.15"
}
]
}
}
]
},
"vendor_name": "Facebook"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Heap-based Buffer Overflow (CWE-122)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.facebook.com/security/advisories/cve-2019-3568",
"refsource": "MISC",
"url": "https://www.facebook.com/security/advisories/cve-2019-3568"
},
{
"name": "108329",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108329"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2019-3568",
"datePublished": "2019-05-14T19:52:40.000Z",
"dateReserved": "2019-01-02T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:45:37.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55179 (GCVE-0-2025-55179)
Vulnerability from cvelistv5
Published
2025-11-18 13:56
Modified
2025-11-18 14:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Incorrect Authorization (CWE-863)
Summary
Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device. We have not seen evidence of exploitation in the wild.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WhatsApp Business for iOS |
Version: 2.25.8.14 ≤ |
|||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55179",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T14:22:05.852548Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T14:25:08.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "WhatsApp Business for iOS",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.25.23.82",
"status": "affected",
"version": "2.25.8.14",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WhatsApp for iOS",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.25.23.73",
"status": "affected",
"version": "2.25.8.17",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WhatsApp Desktop for Mac",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.25.23.83",
"status": "affected",
"version": "2.25.8.14",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-11-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user\u2019s device. We have not seen evidence of exploitation in the wild."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Authorization (CWE-863)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T13:56:31.598Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "Meta"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55179"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.whatsapp.com/security/advisories/2025/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "Meta",
"cveId": "CVE-2025-55179",
"datePublished": "2025-11-18T13:56:31.598Z",
"dateReserved": "2025-08-08T18:21:47.119Z",
"dateUpdated": "2025-11-18T14:25:08.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-55177 (GCVE-0-2025-55177)
Vulnerability from cvelistv5
Published
2025-08-29 15:50
Modified
2025-10-21 22:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Incorrect Authorization (CWE-863)
Summary
Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WhatsApp Desktop for Mac |
Version: 2.22.25.2 ≤ |
|||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55177",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-30T03:55:35.684164Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2025-09-02",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55177"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T22:45:20.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55177"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-02T00:00:00+00:00",
"value": "CVE-2025-55177 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WhatsApp Desktop for Mac",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.25.21.78",
"status": "affected",
"version": "2.22.25.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WhatsApp Business for iOS",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.25.21.78",
"status": "affected",
"version": "2.22.25.2",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WhatsApp for iOS",
"vendor": "Facebook",
"versions": [
{
"lessThan": "2.25.21.73",
"status": "affected",
"version": "2.22.25.2",
"versionType": "semver"
}
]
}
],
"dateAssigned": "2025-08-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target\u2019s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Incorrect Authorization (CWE-863)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-30T16:54:33.495Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.facebook.com/security/advisories/cve-2025-55177"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.whatsapp.com/security/advisories/2025/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2025-55177",
"datePublished": "2025-08-29T15:50:28.578Z",
"dateReserved": "2025-08-08T18:21:47.118Z",
"dateUpdated": "2025-10-21T22:45:20.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-3568 (GCVE-0-2019-3568)
Vulnerability from cvelistv5
Published
2019-05-14 19:52
Modified
2025-10-21 23:45
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-122 - Heap-based Buffer Overflow ()
Summary
A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| WhatsApp for Android |
Version: 2.19.134 Version: unspecified < 2.19.134 |
||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T19:12:09.468Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.facebook.com/security/advisories/cve-2019-3568"
},
{
"name": "108329",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/108329"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2019-3568",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-07T12:56:07.366286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-04-19",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3568"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-21T23:45:37.464Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3568"
}
],
"timeline": [
{
"lang": "en",
"time": "2022-04-19T00:00:00+00:00",
"value": "CVE-2019-3568 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "WhatsApp for Android",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "2.19.134"
},
{
"lessThan": "2.19.134",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "WhatsApp Business for Android",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "2.19.44"
},
{
"lessThan": "2.19.134",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "WhatsApp for iOS",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "2.19.51"
},
{
"lessThan": "2.19.51",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "WhatsApp Business for iOS",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "2.19.51"
},
{
"lessThan": "2.19.51",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "WhatsApp for Windows Phone",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "2.18.348"
},
{
"lessThan": "2.18.348",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "WhatsApp for Tizen",
"vendor": "Facebook",
"versions": [
{
"status": "affected",
"version": "2.18.15"
},
{
"lessThan": "2.18.15",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"dateAssigned": "2019-05-09T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow (CWE-122)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-13T20:57:11.000Z",
"orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"shortName": "facebook"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.facebook.com/security/advisories/cve-2019-3568"
},
{
"name": "108329",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/108329"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@fb.com",
"DATE_ASSIGNED": "2019-05-09",
"ID": "CVE-2019-3568",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WhatsApp for Android",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "2.19.134"
},
{
"version_affected": "\u003c",
"version_value": "2.19.134"
}
]
}
}
]
},
"vendor_name": "Facebook"
},
{
"product": {
"product_data": [
{
"product_name": "WhatsApp Business for Android",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "2.19.44"
},
{
"version_affected": "\u003c",
"version_value": "2.19.134"
}
]
}
}
]
},
"vendor_name": "Facebook"
},
{
"product": {
"product_data": [
{
"product_name": "WhatsApp for iOS",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "2.19.51"
},
{
"version_affected": "\u003c",
"version_value": "2.19.51"
}
]
}
}
]
},
"vendor_name": "Facebook"
},
{
"product": {
"product_data": [
{
"product_name": "WhatsApp Business for iOS",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "2.19.51"
},
{
"version_affected": "\u003c",
"version_value": "2.19.51"
}
]
}
}
]
},
"vendor_name": "Facebook"
},
{
"product": {
"product_data": [
{
"product_name": "WhatsApp for Windows Phone",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "2.18.348"
},
{
"version_affected": "\u003c",
"version_value": "2.18.348"
}
]
}
}
]
},
"vendor_name": "Facebook"
},
{
"product": {
"product_data": [
{
"product_name": "WhatsApp for Tizen",
"version": {
"version_data": [
{
"version_affected": "!=\u003e",
"version_value": "2.18.15"
},
{
"version_affected": "\u003c",
"version_value": "2.18.15"
}
]
}
}
]
},
"vendor_name": "Facebook"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Heap-based Buffer Overflow (CWE-122)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.facebook.com/security/advisories/cve-2019-3568",
"refsource": "MISC",
"url": "https://www.facebook.com/security/advisories/cve-2019-3568"
},
{
"name": "108329",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/108329"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
"assignerShortName": "facebook",
"cveId": "CVE-2019-3568",
"datePublished": "2019-05-14T19:52:40.000Z",
"dateReserved": "2019-01-02T00:00:00.000Z",
"dateUpdated": "2025-10-21T23:45:37.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}