The vulnerabilities

Two CVEs, one chain

Neither bug alone is enough. Stage 1 delivers a malicious image to the victim's device with no interaction; stage 2 turns parsing that image into code execution.

Stage 1 · Delivery
CVSS 8.0 · High

CVE-2025-55177

WhatsApp linked-device authorization bypass
Weakness
CWE-863 — Incorrect Authorization
Vector
Network · Low complexity · No privileges · No user interaction
Component
WhatsApp for iOS < 2.25.21.73, WhatsApp Business for iOS < 2.25.21.78, WhatsApp for Mac < 2.25.21.78
Patched
August 2025

Insufficient authorization of linked-device synchronization messages allowed an unrelated user to trigger processing of arbitrary content from a URL on the victim's device — with no tap, no preview, no user action of any kind.

WhatsApp advisory NVD entry Citizen Lab analysis
Stage 2 · Exploitation
CVSS 8.8 · High

CVE-2025-43300

Apple ImageIO — out-of-bounds write
Weakness
CWE-787 — Out-of-Bounds Write
Vector
Processing a malicious image may lead to memory corruption
Component
iOS/iPadOS < 18.6.2, macOS Sequoia < 15.6.1, macOS Sonoma < 14.7.8, macOS Ventura < 13.7.8
Patched
20 August 2025

A mismatch between SamplesPerPixel declared in TIFF/EXIF metadata and the component count encoded in the JPEG Lossless SOF3 marker allowed a crafted DNG image to write past the bounds of a heap buffer — exploited in the wild as part of a sophisticated attack against targeted individuals.

Apple advisory NVD entry Quarkslab write-up
Why a chain? Either CVE alone is bounded. Combined, they turn a remote attacker's WhatsApp identifier into arbitrary code running inside the victim's ImageIO process — with no tap required. See the animated attack flow for the full path, or the heap lab for the corruption primitive.