CVE-2025-2135
Published: 10 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-2135 is a type confusion vulnerability (CWE-843) in the V8 JavaScript engine within Google Chrome versions prior to 134.0.6998.88. It enables a remote attacker to potentially trigger heap corruption by processing a crafted HTML page. The Chromium security team classifies it as High severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A remote attacker without privileges can exploit this vulnerability over the network with low complexity by luring a user to interact with a malicious site, such as visiting a webpage or opening an HTML document. User interaction is required, but successful exploitation could result in high confidentiality, integrity, and availability impacts, including heap corruption that may lead to code execution or system compromise.
Google's stable channel update for desktop, detailed in the Chrome Releases blog at https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html, patches this issue in version 134.0.6998.88. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/400052777. Mitigation involves updating affected Chrome installations to 134.0.6998.88 or later.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The type confusion vulnerability in Chrome's V8 JS engine enables remote code execution via a crafted HTML page visited by the user, directly facilitating drive-by compromise (T1189) and exploitation for client execution (T1203).