CVE-2021-25255 – This vulnerability in Yandex Browser Lite for A... (How to Fix)

Q: What is the severity of CVE-2021-25255?

CVE-2021-25255 has a CVSS score of 7.5 (HIGH). This vulnerability in Yandex Browser Lite for Android allows remote attackers to cause a denial of service (crash) by sending specially crafted content. It affects users of Yandex Browser Lite for Android versions prior to 21.1.0. The attack can be triggered remotely without user interaction.

📋 TL;DR

This vulnerability in Yandex Browser Lite for Android allows remote attackers to cause a denial of service (crash) by sending specially crafted content. It affects users of Yandex Browser Lite for Android versions prior to 21.1.0. The attack can be triggered remotely without user interaction.

💻 Affected Systems

Products:

Yandex Browser Lite

Versions: All versions prior to 21.1.0

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Yandex Browser Lite, not the main Yandex Browser. Mobile-only vulnerability.

📦 What is this software?

Yandex Browser by Yandex

View all CVEs affecting Yandex Browser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Browser crashes repeatedly, making the device unusable for web browsing until browser is updated or reinstalled.

🟠

Likely Case

Browser crashes when visiting malicious websites, requiring manual restart of the browser application.

🟢

If Mitigated

Browser remains stable as the vulnerability is patched in the updated version.

🌐 Internet-Facing: HIGH - Attack can be triggered remotely via web content without authentication.

🏢 Internal Only: LOW - Same risk as internet-facing since attack requires web content delivery.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Denial of service vulnerabilities typically have low exploitation complexity. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 21.1.0 and later

Vendor Advisory: https://yandex.com/bugbounty/i/hall-of-fame-browser/

Restart Required: Yes

Instructions:

1. Open Google Play Store 2. Search for Yandex Browser Lite 3. Tap Update button 4. Restart browser after update completes

🔧 Temporary Workarounds

Disable JavaScript

android

Prevents execution of malicious scripts that might trigger the vulnerability

Browser Settings > Site Settings > JavaScript > Disable

Use alternative browser

android

Switch to a different browser until Yandex Browser Lite is updated

🧯 If You Can't Patch

Restrict browser to trusted websites only using parental controls or firewall rules
Monitor for browser crashes and investigate any patterns

🔍 How to Verify

Check if Vulnerable:

Check browser version in Settings > About Yandex Browser Lite

Check Version:

Open Yandex Browser Lite > Settings > About Yandex Browser Lite

Verify Fix Applied:

Confirm version is 21.1.0 or higher in Settings > About Yandex Browser Lite

📡 Detection & Monitoring

Log Indicators:

Browser crash logs
ANR (Application Not Responding) reports
Frequent browser restarts

Network Indicators:

Requests to suspicious domains followed by browser crashes

SIEM Query:

source="android_logs" AND ("Yandex Browser Lite crashed" OR "ANR in com.yandex.browser.lite")

📊 Metadata

CVE ID: CVE-2021-25255

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

EPSS Score: 0.19% exploit probability (40.8th percentile)

Published: May 21, 2025

Last Updated: June 10, 2025

🔗 References

https://yandex.com/bugbounty/i/hall-of-fame-browser/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25255, you might also want to check these: