CVE-2025-0291

CVE-2025-0291 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 131.0.6778.264. This flaw, classified under CWE-843, enables malformed object handling that leads to incorrect type assumptions during execution. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security standards.

A remote attacker can exploit this vulnerability by crafting an HTML page that triggers the type confusion in V8 when rendered in Chrome. Exploitation requires user interaction, such as visiting a malicious website, after which the attacker achieves arbitrary code execution within the browser's sandbox. This grants high-impact access to confidentiality, integrity, and availability, though confined to the sandboxed environment.

Mitigation is addressed in the Chrome stable channel update documented at https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop.html, which patches the issue in version 131.0.6778.264 and later. Additional details are available in the Chromium bug tracker at https://issues.chromium.org/issues/383356864. Security practitioners should prioritize updating affected Chrome installations to prevent exploitation.