CVE-2025-0291
Published: 08 January 2025
Summary
CVE-2025-0291 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-0291 is a type confusion vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 131.0.6778.264. The flaw, assigned CWE-843 and rated High severity by Chromium, resides in the browser's core scripting component and carries a CVSS 3.1 score of 8.8 reflecting network attack vector, low complexity, and no required privileges.
A remote attacker can exploit the issue by serving a specially crafted HTML page that triggers the type confusion, resulting in arbitrary code execution that remains confined to the renderer sandbox. Successful exploitation requires the victim to visit the malicious page, after which the attacker gains the ability to run code within the compromised renderer process.
The referenced Chrome stable channel update and Chromium issue tracker entry indicate that the vulnerability is resolved by upgrading to version 131.0.6778.264 or later; administrators should apply the patch through normal browser update mechanisms to eliminate the affected code path.
EPSS scores for the CVE stand at a current value of 0.1209 with a recorded peak of 0.1401, indicating moderate but not sharply escalating exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-1583
Vulnerability details
Type Confusion in V8 in Google Chrome prior to 131.0.6778.264 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Type confusion in V8 enables RCE via crafted malicious HTML page visited by user, directly mapping to drive-by compromise and malicious link execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of flaws, mandating patching of the V8 type confusion vulnerability in Chrome prior to 131.0.6778.264.
Enables vulnerability scanning to identify systems running vulnerable Chrome versions affected by CVE-2025-0291 for subsequent remediation.
Requires obtaining and implementing security alerts and advisories, such as the Chrome stable channel update that patches this V8 vulnerability.