CVE-2025-13230

High

Published: 18 November 2025

Published

18 November 2025

Modified

19 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the type confusion vulnerability in Chrome's V8 engine by requiring timely identification, reporting, and correction via vendor patches such as version 142.0.7444.59.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Scans systems to identify vulnerable Chrome versions affected by CVE-2025-13230, enabling proactive patching before remote exploitation via crafted HTML pages.

SI-16 Memory Protection partial match

prevent

Implements memory protections like ASLR and DEP to minimize the impact of heap corruption from V8 type confusion exploits in the browser renderer process.

Security SummaryAI

CVE-2025-13230 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 142.0.7444.59. This flaw, classified under CWE-843, enables a remote attacker to potentially trigger heap corruption through a specially crafted HTML page. Chromium rates the issue as high severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its potential for significant impact on confidentiality, integrity, and availability.

A remote attacker can exploit this vulnerability by enticing a user to visit a malicious website containing the crafted HTML page, requiring user interaction such as loading or rendering the page. No special privileges are needed, and the low attack complexity makes it accessible to attackers with basic web development skills. Successful exploitation could lead to heap corruption, potentially allowing arbitrary code execution within the browser's renderer process, compromising the victim's system.

Mitigation is addressed in the stable channel update for Google Chrome desktop, detailed in the Chrome Releases blog post at https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html, which includes the fix in version 142.0.7444.59. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/446124892. Security practitioners should ensure users update to Chrome 142.0.7444.59 or later and advise against visiting untrusted websites.

Details

CWE(s): CWE-843

Affected Products

google

chrome

≤ 142.0.7444.59 · ≤ 142.0.7444.60

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Type confusion in V8 engine exploited via crafted HTML page on malicious website enables drive-by compromise (T1189) and exploitation for client execution (T1203) in the browser renderer process.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html
Release Notes, Vendor Advisory · chrome-cve-admin@google.com
https://issues.chromium.org/issues/446124892
Issue Tracking, Permissions Required · chrome-cve-admin@google.com