CVE-2013-6662 – Google Chrome cached TLS sessions before valida... (How to Fix)

Q: What is the severity of CVE-2013-6662?

CVE-2013-6662 has a CVSS score of 6.5 (MEDIUM). Google Chrome cached TLS sessions before validating server certificates, allowing attackers to intercept and decrypt HTTPS traffic. This affects users of vulnerable Chrome versions who visit malicious or compromised websites.

📋 TL;DR

Google Chrome cached TLS sessions before validating server certificates, allowing attackers to intercept and decrypt HTTPS traffic. This affects users of vulnerable Chrome versions who visit malicious or compromised websites.

💻 Affected Systems

Products:

Google Chrome

Versions: Versions prior to 31.0.1650.63

Operating Systems: Windows, macOS, Linux, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: All Chrome installations with default settings were vulnerable

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Man-in-the-middle attackers can decrypt sensitive HTTPS traffic including passwords, session cookies, and financial data

🟠

Likely Case

Attackers on compromised networks can intercept and decrypt web traffic from vulnerable Chrome instances

🟢

If Mitigated

With proper network segmentation and certificate pinning, impact is limited to specific network segments

🌐 Internet-Facing: MEDIUM - Requires attacker to be in network path or control network infrastructure

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires man-in-the-middle position and ability to intercept TLS connections

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 31.0.1650.63

Vendor Advisory: https://chromereleases.googleblog.com/2013/11/stable-channel-update.html

Restart Required: Yes

Instructions:

1. Open Chrome settings 2. Click 'About Chrome' 3. Allow Chrome to update automatically 4. Restart Chrome when prompted

🔧 Temporary Workarounds

Disable TLS session caching

all

Prevents Chrome from caching TLS sessions entirely

chrome --disable-features=SSLSessionCache

🧯 If You Can't Patch

Use alternative browsers for sensitive transactions
Implement network-level TLS inspection and certificate validation

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in settings > About Chrome. If version is below 31.0.1650.63, it's vulnerable

Check Version:

chrome://version/

Verify Fix Applied:

Verify Chrome version is 31.0.1650.63 or higher in settings > About Chrome

📡 Detection & Monitoring

Log Indicators:

Multiple TLS session resumption attempts from same client
Certificate validation errors followed by session resumption

Network Indicators:

TLS session resumption without full handshake
Unusual certificate chains in TLS traffic

SIEM Query:

source="chrome" AND (event="tls_session_resumption" OR event="certificate_validation")

📊 Metadata

CVE ID: CVE-2013-6662

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWE: CWE-295

Published: April 13, 2017

Last Updated: February 23, 2026

🔗 References

https://bugs.chromium.org/p/chromium/issues/detail?id=305220 Issue Tracking,Patch,Third Party Advisory
https://bugs.chromium.org/p/chromium/issues/detail?id=305220 Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2013-6662, you might also want to check these: