ZDI-25-1011 - Safari JavaScriptCore Wasm Use-After-Free RCE

ZDI-25-1011 describes a use-after-free vulnerability in Apple Safari’s JavaScriptCore engine when parsing WebAssembly functions, allowing remote code execution in the browser process. The Zero Day Initiative advisory states that exploitation requires user interaction in the form of visiting a malicious page or opening a crafted file, making this a classic drive-by browser exploit vector. By triggering a use-after-free condition during Wasm function parsing, an attacker can gain code execution mapped to MITRE ATT&CK technique T1203 (Exploitation for Client Execution). Organizations should treat this Safari JavaScriptCore Wasm vulnerability as a significant client-side attack surface on macOS and iOS endpoints. The flaw is triggered when JavaScriptCore fails to properly validate object lifetimes while processing WebAssembly function structures, leaving dangling pointers that can be abused for memory corruption. Attackers can craft malicious Wasm modules embedded in web pages that exercise the vulnerable code path, then spray or shape the heap to redirect execution flow to attacker-controlled shellcode. Once code executes in the browser process, follow-on actions such as credential theft, session hijacking and malware staging become possible, especially if combined with sandbox escapes or additional vulnerabilities. From a business perspective, exploitation of ZDI-25-1011 could enable compromise of executive laptops, developer workstations or designer systems where Safari is a common primary browser. Successful attacks may lead to theft of SSO cookies for SaaS applications, access tokens for cloud consoles or confidential documents accessed through the browser, with cascading impact on internal systems and customer data. For organizations in regulated industries, browser-based compromise can become a breach event if personal, financial or health data is exfiltrated. Apple is expected to address ZDI-25-1011 in upcoming WebKit and Safari security updates, and security teams should ensure that macOS and iOS fleets apply these patches quickly once available. In the meantime, organizations can reduce exposure by enforcing rapid browser update policies, limiting use of Safari for high-risk browsing and considering restrictions on WebAssembly execution for sensitive user groups. Endpoint protection should be tuned to detect suspicious child processes spawned from Safari and abnormal memory behavior indicative of exploitation attempts.