Software developer Abraham Masri revealed that sending a message containing a link to the bug's code was enough to crash an iPhone or Mac computer, and in some cases cause it to restart.
Mr Masri initially posted a link to the code on programming site GitHub but has since removed it, saying: "I made my point. Apple need to take such bugs more seriously."
He said he had reported the bug to Apple before releasing it online, but its removal means malicious messages can no longer be sent linking to it.
The tech giant has not yet commented on the issue.
The flaw has been named ChaiOS - a play on the words chaos and iOS, Apple's mobile operating system - but is regarded by security experts as a "nuisance" rather than dangerous.
Industry expert Graham Cluley said: "Something about the so-called ChaiOS bug's code gives your Apple device a brainstorm. Ashamed about the mess it gets itself in, Messages decides the least embarrassing thing to do is to crash.
"Nasty. But, thankfully, more of a nuisance than something that will lead to data being stolen from your computer or a malicious hacker being able to access your files.
"Don't be surprised if Apple rolls out a security update in the near future to fix this latest example of a text bomb."
The flaw is similar to the Effective Power bug which hit iPhone devices in 2015, when a set of characters sent as a text message could cause an iPhone to reboot.