Login Sign Up

CVE-2025-1920

8.8 HIGH

📋 TL;DR

A type confusion vulnerability in Chrome's V8 JavaScript engine could allow attackers to execute arbitrary code or cause heap corruption by tricking users into visiting malicious web pages. This affects all users running vulnerable versions of Google Chrome on any platform. The vulnerability requires user interaction but no authentication.

💻 Affected Systems

Products:
  • Google Chrome
  • Chromium-based browsers
Versions: All versions prior to 134.0.6998.88
Operating Systems: Windows, macOS, Linux, ChromeOS, Android
Default Config Vulnerable: ⚠️ Yes
Notes: All standard Chrome installations are vulnerable. Extensions or security settings don't mitigate this.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within browser sandbox.

🟢

If Mitigated

Minimal impact if browser sandboxing works correctly, potentially just a tab crash.

🌐 Internet-Facing: HIGH - Attackers can host malicious pages on public websites.
🏢 Internal Only: MEDIUM - Requires user to visit attacker-controlled internal page.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires JavaScript execution and bypassing Chrome's sandbox. No public exploits known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 134.0.6998.88 or later

Vendor Advisory: https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html

Restart Required: No

Instructions:

1. Open Chrome. 2. Click three dots menu → Help → About Google Chrome. 3. Chrome will automatically check for and install update. 4. Relaunch Chrome when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by blocking JavaScript execution

chrome://settings/content/javascript → Block

Use Site Isolation

all

Enhances sandboxing between websites

chrome://flags/#site-isolation-trial-opt-out → Disabled

🧯 If You Can't Patch

  • Restrict web browsing to trusted sites only
  • Use application allowlisting to prevent unauthorized Chrome execution

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in About Google Chrome page

Check Version:

google-chrome --version

Verify Fix Applied:

Confirm version is 134.0.6998.88 or higher

📡 Detection & Monitoring

Log Indicators:

  • Chrome crash reports
  • Unexpected renderer process termination

Network Indicators:

  • Connections to suspicious domains with JavaScript-heavy content

SIEM Query:

source="chrome" AND (event="crash" OR event="renderer_terminated")

📊 Metadata

CVE ID: CVE-2025-1920
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-843
EPSS Score: 0.15% exploit probability (36th percentile)
Published: March 10, 2025
Last Updated: April 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-1920, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2023-42464 9.8

A Type Confusion vulnerability in Netatalk's afpd service allows remote attackers to potentially exe...

Same vulnerability type (CWE-843)