CVE-2025-0291
Published: 08 January 2025
Summary
CVE-2025-0291 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of flaws, mandating patching of the V8 type confusion vulnerability in Chrome prior to 131.0.6778.264.
Enables vulnerability scanning to identify systems running vulnerable Chrome versions affected by CVE-2025-0291 for subsequent remediation.
Requires obtaining and implementing security alerts and advisories, such as the Chrome stable channel update that patches this V8 vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Type confusion in V8 enables RCE via crafted malicious HTML page visited by user, directly mapping to drive-by compromise and malicious link execution.
NVD Description
Type Confusion in V8 in Google Chrome prior to 131.0.6778.264 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-0291 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 131.0.6778.264. This flaw, classified under CWE-843, enables malformed object handling that leads to incorrect type assumptions during execution. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated High severity by Chromium security standards.
A remote attacker can exploit this vulnerability by crafting an HTML page that triggers the type confusion in V8 when rendered in Chrome. Exploitation requires user interaction, such as visiting a malicious website, after which the attacker achieves arbitrary code execution within the browser's sandbox. This grants high-impact access to confidentiality, integrity, and availability, though confined to the sandboxed environment.
Mitigation is addressed in the Chrome stable channel update documented at https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop.html, which patches the issue in version 131.0.6778.264 and later. Additional details are available in the Chromium bug tracker at https://issues.chromium.org/issues/383356864. Security practitioners should prioritize updating affected Chrome installations to prevent exploitation.
Details
- CWE(s)