CVE-2024-0804 – This vulnerability allows attackers to bypass C... (How to Fix)

Q: What is the severity of CVE-2024-0804?

CVE-2024-0804 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to bypass Chrome's cross-origin security policies on iOS devices, enabling them to read data from other websites visited by the user. It affects Google Chrome on iOS prior to version 121.0.6167.85. Users who haven't updated their Chrome browser on iOS are vulnerable to data leakage attacks.

📋 TL;DR

This vulnerability allows attackers to bypass Chrome's cross-origin security policies on iOS devices, enabling them to read data from other websites visited by the user. It affects Google Chrome on iOS prior to version 121.0.6167.85. Users who haven't updated their Chrome browser on iOS are vulnerable to data leakage attacks.

💻 Affected Systems

Products:

Google Chrome

Versions: All versions prior to 121.0.6167.85

Operating Systems: iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Chrome on iOS devices. Desktop Chrome, Chrome on Android, and other browsers are not affected.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal sensitive data like authentication tokens, personal information, or financial data from other websites the user has open in Chrome tabs.

🟠

Likely Case

Targeted attacks stealing session cookies or authentication tokens from popular websites to hijack user accounts.

🟢

If Mitigated

Minimal impact with proper browser updates and security controls in place.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely via crafted web pages without user interaction beyond visiting the page.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal websites, but requires user to visit malicious page.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user to visit a malicious webpage but no additional user interaction. The bug report suggests relatively straightforward exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 121.0.6167.85

Vendor Advisory: https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_23.html

Restart Required: Yes

Instructions:

1. Open Chrome on iOS device. 2. Go to Settings > About Chrome. 3. Chrome will automatically check for updates. 4. If update is available, tap 'Update'. 5. Restart Chrome after update completes.

🔧 Temporary Workarounds

Use alternative browser

ios

Temporarily use Safari or another browser until Chrome is updated

Disable JavaScript

ios

Disable JavaScript in Chrome settings to prevent exploitation (breaks most websites)

🧯 If You Can't Patch

Restrict access to untrusted websites using web filtering or proxy controls
Implement network segmentation to limit data that could be leaked from internal systems

🔍 How to Verify

Check if Vulnerable:

Open Chrome on iOS, go to Settings > About Chrome, check if version is below 121.0.6167.85

Check Version:

Not applicable for iOS - check via Chrome settings menu

Verify Fix Applied:

Confirm Chrome version is 121.0.6167.85 or higher in Settings > About Chrome

📡 Detection & Monitoring

Log Indicators:

Unusual cross-origin requests in web server logs
Multiple failed CORS policy violations from same user session

Network Indicators:

Suspicious JavaScript loading patterns
Unusual iframe or window.opener usage patterns

SIEM Query:

Not specifically applicable - monitor for Chrome update compliance on iOS devices

📊 Metadata

CVE ID: CVE-2024-0804

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-693

Published: January 24, 2024

Last Updated: May 22, 2025

🔗 References

https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_23.html Release Notes,Vendor Advisory
https://crbug.com/1515137 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMI6GXFONZV6HE3BPZO3AP6GUVQLG4JQ/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXDSGAFQD4BDB4IB2O4ZUSHC3JCVQEKC/ Mailing List,Third Party Advisory
https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_23.html Release Notes,Vendor Advisory
https://crbug.com/1515137 Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMI6GXFONZV6HE3BPZO3AP6GUVQLG4JQ/ Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXDSGAFQD4BDB4IB2O4ZUSHC3JCVQEKC/ Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0804, you might also want to check these: