CVE-2025-1566
📋 TL;DR
A DNS leak vulnerability in ChromeOS's native VPN implementation allows network observers to intercept plaintext DNS queries during VPN state transitions. This affects ChromeOS Dev Channel users running version 16002.23.0, potentially exposing their browsing activity and visited domains.
💻 Affected Systems
- Google ChromeOS
📦 What is this software?
Chrome Os by Google
⚠️ Risk & Real-World Impact
Worst Case
Attackers on the same network could monitor all DNS queries, mapping user activity, visited domains, and potentially infer sensitive information about browsing habits or organizational access patterns.
Likely Case
Network observers in public Wi-Fi or shared networks could see which websites users visit, potentially compromising privacy and exposing browsing history.
If Mitigated
With proper network segmentation and encrypted DNS (DoH/DoT), exposure is limited to metadata about DNS query timing and volume rather than specific domains.
🎯 Exploit Status
Exploitation requires network access but no authentication; attackers simply need to monitor network traffic during VPN transitions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to ChromeOS Dev Channel version >16002.23.0
Vendor Advisory: https://issues.chromium.org/issues/b/342802975
Restart Required: Yes
Instructions:
1. Open ChromeOS Settings 2. Navigate to 'About ChromeOS' 3. Click 'Check for updates' 4. Install available update 5. Restart device when prompted
🔧 Temporary Workarounds
Switch to Stable Channel
allMove from Dev Channel to Stable Channel to avoid this vulnerability entirely
chrome://settings/help
Click 'Additional details'
Change channel to 'Stable'
Check for updates and restart
Use Third-Party VPN Client
allUse a third-party VPN application instead of the native ChromeOS VPN feature
🧯 If You Can't Patch
- Avoid using public Wi-Fi networks while connected to VPN
- Configure DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) to encrypt DNS queries independently
🔍 How to Verify
Check if Vulnerable:
Check ChromeOS version: Settings > About ChromeOS > Detailed build information; if version is exactly 16002.23.0 on Dev Channel, device is vulnerable.Check Version:
cat /etc/lsb-release | grep CHROMEOS_RELEASE_VERSIONVerify Fix Applied:
After update, verify ChromeOS version is >16002.23.0; test VPN connection and monitor DNS traffic to confirm queries are properly tunneled.📡 Detection & Monitoring
Log Indicators:
- DNS queries appearing from ChromeOS device IP when VPN should be active
- VPN connection state change logs without corresponding DNS tunnel establishment
Network Indicators:
- Plaintext DNS queries (port 53) originating from ChromeOS devices during VPN sessions
- DNS traffic bypassing VPN tunnel interface
SIEM Query:
source="network_dns" dest_port=53 src_ip=CHROMEOS_DEVICE_IP NOT vpn_tunnel="established"