CVE-2025-2137
Published: 10 March 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-2137 is an out-of-bounds read vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 134.0.6998.88. This flaw, classified under CWE-125, enables out-of-bounds memory access when processing a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated Medium severity by Chromium security standards.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website containing the crafted HTML page, which requires user interaction but no special privileges. Successful exploitation allows arbitrary out-of-bounds memory access, potentially leading to high-impact consequences such as disclosure of sensitive information, code execution, or system crashes affecting confidentiality, integrity, and availability.
Google's stable channel update for desktop, detailed at https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html, addresses the vulnerability by upgrading Chrome to version 134.0.6998.88. Additional details are tracked in the Chromium issue at https://issues.chromium.org/issues/398999390. Security practitioners should prioritize updating affected Chrome installations to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes an out-of-bounds read in Chrome's V8 engine triggered by a crafted HTML page on a malicious website, directly enabling drive-by compromise via user-visited malicious content and exploitation for client execution.