CVE-2025-0437

High

Published: 15 January 2025

Published

15 January 2025

Modified

03 February 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Out of bounds read in Metrics in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Security Summary

CVE-2025-0437 is an out-of-bounds read vulnerability (CWE-125) in the Metrics component of Google Chrome prior to version 132.0.6834.83. This flaw, classified as High severity by Chromium security standards, enables a remote attacker to potentially trigger heap corruption by processing a crafted HTML page.

The vulnerability can be exploited by a remote attacker with network access, requiring low attack complexity and no privileges, but user interaction such as visiting a malicious site. Exploitation could lead to high impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Mitigation is available via the stable channel update for Chrome desktop, documented in the Chrome Releases blog at https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_14.html and the Chromium issue tracker at https://issues.chromium.org/issues/378623799. Affected systems should be updated to Chrome 132.0.6834.83 or later.

Details

CWE(s): CWE-125

Affected Products

google

chrome

≤ 132.0.6834.83

References

https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_14.html
Release Notes · chrome-cve-admin@google.com
https://issues.chromium.org/issues/378623799
Permissions Required · chrome-cve-admin@google.com