WhatsApp said it has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that may have been exploited in the wild in conjunction with a recently disclosed Apple flaw in targeted zero-day attacks. The flaw, identified as CVE-2025-55177 (CVSS 8.0), concerns insufficient authorization of linked device synchronization messages and could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. Internal researchers on WhatsApp’s Security Team were credited with discovering and rerating the bug.
The company said the issue “could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.” The advisory noting this fix is available from WhatsApp security advisory.
The flaw affects the following versions: WhatsApp for iOS prior to 2.25.21.73; WhatsApp Business for iOS version 2.25.21.78; and WhatsApp for Mac version 2.25.21.78. It also assessed that the shortcoming may have been chained with CVE-2025-43300, a vulnerability disclosed by Apple as having been weaponized in an “extremely sophisticated attack against specific targeted individuals”. The Apple CVE concerns an out-of-bounds write vulnerability in the ImageIO framework that could result in memory corruption when processing a malicious image.
Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, said WhatsApp has notified an unspecified number of individuals that they believe were targeted by an advanced spyware campaign in the past 90 days using CVE-2025-55177. In the alert sent to those targeted individuals, WhatsApp recommended performing a full device factory reset and keeping the operating system and the WhatsApp app up to date for optimal protection. It is not publicly known who or which spyware vendor is behind the attacks. Donncha Ó Cearbhaill’s post on X referenced the broader risk to civil society and journalists.
Amid concerns over the continued threat of government spyware, researchers stressed that the combination of a messaging app vulnerability with Apple’s zero-days underscores the need for rigorous software updates and cautious digital hygiene among civil society workers