CVE-2025-0443
Published: 15 January 2025
Description
Insufficient data validation in Extensions in Google Chrome prior to 132.0.6834.83 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium)
Security Summary
CVE-2025-0443 is an insufficient data validation vulnerability affecting the Extensions component in Google Chrome prior to version 132.0.6834.83. Published on 2025-01-15, it enables a remote attacker to perform privilege escalation via a crafted HTML page after convincing a user to engage in specific UI gestures. The flaw is associated with CWE-79 (Cross-site Scripting) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), rated as Medium severity by Chromium security.
A remote attacker requires no privileges and can exploit this over the network with low attack complexity, though it depends on user interaction via targeted UI gestures. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing privilege escalation within the browser context.
Google's stable channel update for desktop, announced at https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_14.html, patches the issue in Chrome 132.0.6834.83. Additional details are available in the Chromium issue tracker at https://issues.chromium.org/issues/376625003. Security practitioners should prioritize updating affected Chrome installations to mitigate exploitation risk.
Details
- CWE(s)