CVE-2025-13631
Published: 02 December 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-13631 is a high-severity vulnerability stemming from an inappropriate implementation in the Google Updater component of Google Chrome on macOS versions prior to 143.0.7499.41. It enables a remote attacker to achieve privilege escalation by leveraging a crafted file. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting its potential for significant impact on confidentiality, integrity, and availability.
A remote attacker can exploit this vulnerability without prior privileges by tricking a user into interacting with a specially crafted file, such as through social engineering via email or a malicious website. Successful exploitation grants elevated privileges on the affected macOS system, potentially allowing arbitrary code execution with higher permissions and full compromise of the targeted machine.
Google's stable channel update for desktop, detailed at https://chromereleases.googleblog.com/2025/12/stable-channel-update-for-desktop.html, addresses the vulnerability in Chrome version 143.0.7499.41 and later. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/448113221. Security practitioners should prioritize updating affected Chrome installations on macOS to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability in Google Chrome Updater on macOS enables remote exploitation of a crafted file requiring user interaction for arbitrary code execution (T1203) and subsequent privilege escalation (T1068).