cbcvebase.
CVE-2017-2457
published 2017-04-02

CVE-2017-2457: An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. The issue involves the "WebKit" component. It…

PriorityP260high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
6.30%
92.7th percentile
An issue was discovered in certain Apple products. iOS before 10.3 is affected. Safari before 10.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.

Affected

5 ranges
VendorProductVersion rangeFixed in
appleios
appleiphone_os<= 10.2.1
applesafari<= 10.0.3
applesafari
debianwebkit2gtk< webkit2gtk 2.16.3-2 (bookworm)webkit2gtk 2.16.3-2 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

commandlet rs = new ReadableStream(); let cons = rs.getReader().constructor; rs.getReader = 0x12345; new cons(rs);
  • The vulnerability is a type confusion in WebKit's `constructJSReadableStreamDefaultReader`. Detect exploitation attempts by monitoring for JavaScript that replaces `ReadableStream.prototype.getReader` with a non-function (e.g., an integer like 0x12345) and then invokes the saved constructor with the modified stream object.
  • The exploit abuses `constructJSReadableStreamDefaultReader` by passing a ReadableStream whose `getReader` property has been overwritten with a non-callable value, triggering type confusion. Look for JS content that saves `rs.getReader().constructor` before overwriting `getReader`.
  • Affected versions: iOS before 10.3 and Safari before 10.1. Prioritize alerting on WebKit-based user agents running versions at or below these thresholds when processing remote web content.
  • The specific vulnerable WebKit build identified in the PoC is version 10.0.2 (12602.3.12.0.1, r210800). Use this build string to identify unpatched instances in asset inventories or User-Agent logs.
  • ·The exploit targets the internal WebKit C++ function `constructJSReadableStreamDefaultReader`. The type confusion is triggered via the JavaScript API surface (`ReadableStream` / `getReader`), meaning no special browser configuration is required — any page load on a vulnerable WebKit version can trigger it.
  • ·The vulnerability requires no user interaction beyond visiting a crafted web page ('via a crafted web site'), making it exploitable in drive-by scenarios with no additional configuration prerequisites on the victim side.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.