CVE-2025-12907

CVE-2025-12907 is an insufficient validation of untrusted input vulnerability affecting the Devtools component in Google Chrome versions prior to 140.0.7339.80. It stems from CWE-20 (Improper Input Validation) and enables a remote attacker to execute arbitrary code through user actions within Devtools. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), though Chromium rates its security severity as Low.

A remote attacker with no privileges can exploit this vulnerability by tricking a user into performing specific actions in Chrome's Devtools interface, such as inspecting or interacting with malicious content. Successful exploitation grants high-impact arbitrary code execution with full confidentiality, integrity, and availability effects in the context of the browser, potentially leading to sandbox escape or further compromise depending on the attacker's payload.

Mitigation is addressed in the stable channel update for Chrome desktop, detailed in the Chrome Releases blog post at https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop.html, which includes the patch in version 140.0.7339.80. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/427367145. Users should update to the patched version promptly to prevent exploitation.