CVE-2025-1915
Published: 05 March 2025
Description
An adversary may rely upon a user opening a malicious file in order to gain execution.
Security Summary
CVE-2025-1915, published on 2025-03-05, is an Improper Limitation of a Pathname to a Restricted Directory vulnerability (CWE-22) in DevTools within Google Chrome on Windows versions prior to 134.0.6998.35. This flaw enables attackers to bypass file access restrictions through a crafted Chrome Extension. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), classified as High severity, though Chromium rates it as Medium.
Exploitation requires an attacker to convince a targeted user to install a malicious Chrome extension, involving network access with low attack complexity and no required privileges, but necessitating user interaction. Upon success, the attacker achieves high impacts on confidentiality and integrity, allowing unauthorized access to restricted files, while availability remains unaffected.
Google's stable channel update for desktop, detailed at chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html, patches this issue in Chrome version 134.0.6998.35. Additional technical details are available in the Chromium issue tracker at issues.chromium.org/issues/391114799. Mitigation involves updating affected Windows installations to the latest stable Chrome release.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The path traversal flaw directly enables unauthorized access to restricted local files on the system (T1005 Data from Local System). Exploitation requires the user to install and execute a malicious Chrome extension file (T1204.002 Malicious File).