CVE-2025-12910
📋 TL;DR
A vulnerability in Google Chrome's Passkeys implementation allowed local attackers to access potentially sensitive information through debug logs. This affects Chrome users running versions before 140.0.7339.80. The issue involves inappropriate implementation that exposes debug information that should be restricted.
💻 Affected Systems
- Google Chrome
- Chromium
📦 What is this software?
Chrome by Google
Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...
Learn more about Chrome →⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains access to sensitive passkey-related debug information that could reveal authentication details or system information.
Likely Case
Local user with access to debug logs can view passkey-related debug information that may contain technical details about authentication processes.
If Mitigated
Minimal impact as debug logs typically contain technical rather than user credential data, and local access is already required.
🎯 Exploit Status
Exploitation requires local access to the system and ability to access debug logs. No authentication bypass or remote exploitation possible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 140.0.7339.80 and later
Vendor Advisory: https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop.html
Restart Required: Yes
Instructions:
1. Open Chrome. 2. Click the three-dot menu. 3. Go to Help > About Google Chrome. 4. Chrome will automatically check for and install updates. 5. Click Relaunch to restart Chrome with the updated version.
🔧 Temporary Workarounds
Disable debug logging
allConfigure Chrome to disable debug logging which reduces information exposure
chrome://flags/#enable-debug-logs
Set to Disabled
Restrict local access
allImplement strict access controls to prevent unauthorized local access to systems
🧯 If You Can't Patch
- Implement strict local access controls and user privilege management
- Disable passkeys feature in Chrome settings if not required
🔍 How to Verify
Check if Vulnerable:
Check Chrome version by navigating to chrome://version and compare with 140.0.7339.80Check Version:
chrome://versionVerify Fix Applied:
Verify Chrome version is 140.0.7339.80 or higher in chrome://version📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to Chrome debug logs
- Suspicious local access to Chrome user data directories
Network Indicators:
- No network indicators - local-only vulnerability
SIEM Query:
EventID=4688 AND ProcessName="chrome.exe" AND CommandLine CONTAINS "--enable-logging" AND NOT User IN [authorized_users]