CVE-2025-1920
Published: 10 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-1920 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine within Google Chrome versions prior to 134.0.6998.88. This flaw enables a remote attacker to potentially trigger heap corruption by means of a crafted HTML page. The issue has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security standards.
A remote attacker without privileges can exploit this vulnerability by luring a user into interacting with a malicious site, such as by visiting a crafted HTML page. Successful exploitation could grant high-level impacts on confidentiality, integrity, and availability, potentially allowing heap corruption that leads to arbitrary code execution or other severe compromises within the browser context.
Google has addressed the vulnerability in Chrome stable channel version 134.0.6998.88 and later, as announced in the stable channel update for desktop (https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html). Further technical details are available in the associated Chromium issue tracker (https://issues.chromium.org/issues/398065918). Security practitioners should prioritize updating affected Chrome installations to mitigate this risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Type confusion in V8 JS engine enables remote heap corruption and arbitrary code execution via crafted HTML page in browser, directly facilitating Exploitation for Client Execution (T1203).