Login Sign Up

CVE-2025-2135

8.8 HIGH

📋 TL;DR

This is a type confusion vulnerability in Chrome's V8 JavaScript engine that could allow an attacker to trigger heap corruption by tricking the browser into misinterpreting data types. Attackers could exploit this by luring users to malicious websites. All users running vulnerable Chrome versions are affected.

💻 Affected Systems

Products:
  • Google Chrome
  • Chromium-based browsers
Versions: All versions prior to 134.0.6998.88
Operating Systems: Windows, macOS, Linux, ChromeOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default Chrome configurations are vulnerable. Extensions or security settings don't mitigate this vulnerability.

📦 What is this software?

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment

🟠

Likely Case

Browser crash (denial of service) or limited memory corruption leading to information disclosure

🟢

If Mitigated

Browser sandbox prevents system-wide compromise, but tab isolation could be bypassed

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious site) but no authentication. Type confusion vulnerabilities in V8 have historically been exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 134.0.6998.88 or later

Vendor Advisory: https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html

Restart Required: Yes

Instructions:

1. Open Chrome
2. Click three-dot menu → Help → About Google Chrome
3. Chrome will automatically check for and install updates
4. Click 'Relaunch' to restart Chrome with the update

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution, but breaks most websites

Use Site Isolation

all

Ensure Chrome's Site Isolation feature is enabled (default in modern versions)

🧯 If You Can't Patch

  • Deploy network filtering to block known malicious domains
  • Use application allowlisting to restrict browser execution

🔍 How to Verify

Check if Vulnerable:

Check Chrome version in Settings → About Chrome

Check Version:

chrome://version/

Verify Fix Applied:

Verify Chrome version is 134.0.6998.88 or higher

📡 Detection & Monitoring

Log Indicators:

  • Chrome crash reports
  • Unexpected process termination events
  • Sandbox escape attempts in security logs

Network Indicators:

  • Connections to suspicious domains with crafted JavaScript
  • Unusual outbound traffic from browser processes

SIEM Query:

source="chrome" AND (event_type="crash" OR process_name="chrome.exe" AND exit_code!=0)

📊 Metadata

CVE ID: CVE-2025-2135
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-843
EPSS Score: 0.2% exploit probability (41.8th percentile)
Published: March 10, 2025
Last Updated: April 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2135, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2023-42464 9.8

A Type Confusion vulnerability in Netatalk's afpd service allows remote attackers to potentially exe...

Same vulnerability type (CWE-843)