Cyber Resilience

CVE-2025-0291

High

Published: 08 January 2025

Published
08 January 2025
Modified
11 February 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1209 94.0th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0291 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0291 is a type confusion vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 131.0.6778.264. The flaw, assigned CWE-843 and rated High severity by Chromium, resides in the browser's core scripting component and carries a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, and no required privileges.

A remote attacker can exploit the issue by serving a specially crafted HTML page that triggers the type confusion, resulting in arbitrary code execution that remains confined to the renderer sandbox. Successful exploitation requires the victim to visit the malicious page, after which the attacker gains the ability to run code within the compromised renderer process.

The referenced Chrome stable channel update and Chromium issue tracker entry indicate that the vulnerability is resolved by upgrading to version 131.0.6778.264 or later; administrators should apply the patch through normal browser update mechanisms to eliminate the affected code path.

EPSS scores for the CVE stand at a current value of 0.1209 with a recorded peak of 0.1401, indicating moderate but not sharply escalating exploitation interest since disclosure.

EU & UK References

Vulnerability details

Type Confusion in V8 in Google Chrome prior to 131.0.6778.264 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

Type confusion in V8 enables RCE via crafted malicious HTML page visited by user, directly mapping to drive-by compromise and malicious link execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6363Same product: Google Chrome
CVE-2025-2135Same product: Google Chrome
CVE-2026-8540Same product: Google Chrome
CVE-2025-1920Same product: Google Chrome
CVE-2025-0436Same product: Google Chrome
CVE-2026-9908Same product: Google Chrome
CVE-2025-0995Same product: Google Chrome
CVE-2026-2649Same product: Google Chrome
CVE-2025-2136Same product: Google Chrome
CVE-2025-0999Same product: Google Chrome

Affected Assets

google
chrome
≤ 131.0.6778.264

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of flaws, mandating patching of the V8 type confusion vulnerability in Chrome prior to 131.0.6778.264.

detect

Enables vulnerability scanning to identify systems running vulnerable Chrome versions affected by CVE-2025-0291 for subsequent remediation.

prevent

Requires obtaining and implementing security alerts and advisories, such as the Chrome stable channel update that patches this V8 vulnerability.

References