CVE-2025-45663 – CVE-2025-45663 is a memory corruption vulnerabi... (How to Fix)

Q: What is the severity of CVE-2025-45663?

CVE-2025-45663 has a CVSS score of 6.5 (MEDIUM). CVE-2025-45663 is a memory corruption vulnerability in NetSurf browser v3.11 where uninitialized heap memory is read when creating DOM event structures. This could allow attackers to leak sensitive information or potentially execute arbitrary code. Users running NetSurf v3.11 are affected.

📋 TL;DR

CVE-2025-45663 is a memory corruption vulnerability in NetSurf browser v3.11 where uninitialized heap memory is read when creating DOM event structures. This could allow attackers to leak sensitive information or potentially execute arbitrary code. Users running NetSurf v3.11 are affected.

💻 Affected Systems

Products:

NetSurf

Versions: v3.11

Operating Systems: Linux, BSD, RISC OS, AmigaOS, macOS, Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of NetSurf v3.11 are vulnerable regardless of configuration.

📦 What is this software?

Netsurf by Netsurf Browser

View all CVEs affecting Netsurf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure leading to memory content leakage, potentially including sensitive data like passwords, session tokens, or other application memory contents.

🟠

Likely Case

Application crash or information disclosure of random memory contents, potentially revealing internal state information.

🟢

If Mitigated

Limited impact with proper memory isolation and ASLR protections, possibly just application instability.

🌐 Internet-Facing: MEDIUM - Browser vulnerabilities can be exploited via malicious websites, but requires user interaction to visit compromised sites.

🏢 Internal Only: LOW - Primarily affects client-side browser software, not typically deployed as internal services.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires user to visit malicious website. Public disclosure includes technical details that could facilitate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.12 or later

Vendor Advisory: https://www.netsurf-browser.org/news/releases/

Restart Required: Yes

Instructions:

1. Visit netsurf-browser.org 2. Download latest version 3. Install over existing installation 4. Restart browser

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution which is typically required for DOM event manipulation.

Not applicable - configure via browser settings

🧯 If You Can't Patch

Restrict browser usage to trusted websites only
Implement application whitelisting to prevent NetSurf execution

🔍 How to Verify

Check if Vulnerable:

Check NetSurf version via Help → About or 'netsurf --version' command

Check Version:

netsurf --version

Verify Fix Applied:

Verify version is v3.12 or later and test with known safe websites

📡 Detection & Monitoring

Log Indicators:

Application crashes
Memory access violation errors
Unexpected browser termination

Network Indicators:

Connections to suspicious domains followed by browser crashes

SIEM Query:

process_name:"netsurf" AND (event_type:"crash" OR error_code:"ACCESS_VIOLATION")

📊 Metadata

CVE ID: CVE-2025-45663

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CWE: CWE-244

EPSS Score: 0.07% exploit probability (21.6th percentile)

Published: November 3, 2025

Last Updated: November 5, 2025

🔗 References

https://github.com/Fysac/netsurf-disclosure/tree/main/CVE-2025-45663 Exploit,Third Party Advisory
https://www.netsurf-browser.org/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-45663, you might also want to check these: