Executive Summary
- CERT-In has issued a warning regarding a critical vulnerability in WhatsApp for iOS and Mac devices.
- The flaw stems from incomplete validation of rich response messages, potentially allowing arbitrary URL processing.
- Affected versions include iOS builds prior to 2.25.23.73 and Mac builds prior to 2.25.23.83.
- WhatsApp reports no evidence of active exploitation and advises users to update immediately.
The Indian Computer Emergency Response Team (CERT-In) has issued a high-severity security advisory regarding a vulnerability in WhatsApp for iOS and macOS devices, warning that the flaw could allow remote attackers to execute arbitrary URL processing on victim devices.
According to the security bulletin released by CERT-In, the vulnerability stems from “incomplete validation of rich response messages.” The agency noted that if exploited, this flaw permits an attacker to trigger the processing of content from an arbitrary URL, effectively bypassing standard device security measures to compromise the system.
WhatsApp corroborated these findings in a separate security post regarding its November update. The platform identified that the issue affects WhatsApp for iOS versions prior to v2.25.23.73, WhatsApp Business for iOS prior to v2.25.23.82, and WhatsApp for Mac prior to v2.25.23.83. “This vulnerability exists in WhatsApp due to incomplete validation of rich response messages,” the company stated.
While the vulnerability presents a significant potential risk to users, WhatsApp has clarified that there is currently no evidence to suggest the flaw has been actively exploited in the wild. The company has released patches addressing the issue and is urging users to update their applications immediately to the latest versions available on the App Store.
Digital Security Outlook
This alert underscores the persistent challenge facing end-to-end encrypted messaging platforms as they integrate complex “rich media” features. The involvement of a national security agency like CERT-In highlights the critical nature of such vulnerabilities in widely used communication tools. As applications evolve to support dynamic content, the attack surface for potential validation errors increases. Security experts emphasize that prompt software updates remain the primary defense against such newly disclosed vulnerabilities, particularly in an ecosystem where remote execution risks can compromise user data privacy and device integrity.