Cyber Posture

CVE-2025-0447

HighPublic PoC

Published: 15 January 2025

Published
15 January 2025
Modified
21 April 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0063 70.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0447 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 29.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation ensures patching of the specific inappropriate implementation in Chrome's Navigation component, directly eliminating the privilege escalation vulnerability.

SI-10 Information Input Validation partial match
prevent

Information input validation addresses the CWE-79-related failure in properly handling crafted HTML pages during navigation, preventing exploitation.

SC-39 Process Isolation partial match
prevent

Process isolation enforces sandboxing in Chrome's multi-process architecture, limiting the impact of privilege escalation from compromised navigation handling.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Description explicitly states remote privilege escalation via crafted HTML page in browser navigation component, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Inappropriate implementation in Navigation in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)

Deeper analysisAI

CVE-2025-0447 involves an inappropriate implementation in the Navigation component of Google Chrome prior to version 132.0.6834.83. This flaw allows a remote attacker to achieve privilege escalation via a crafted HTML page. The vulnerability is associated with CWE-79 and carries a Chromium security severity rating of Low, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker without privileges can exploit the issue by luring a user to interact with a malicious site hosting the crafted HTML page, requiring user interaction such as clicking or navigating. Successful exploitation enables privilege escalation, resulting in high impacts to confidentiality, integrity, and availability.

Google addressed the vulnerability in the stable channel update for desktop Chrome 132.0.6834.83, as announced at https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_14.html. Further technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/375550814.

Details

CWE(s)
CWE-79

Affected Products

google
chrome
≤ 132.0.6834.83

CVEs Like This One

CVE-2025-0443Same product: Google Chrome
CVE-2025-1914Same product: Google Chrome
CVE-2025-0436Same product: Google Chrome
CVE-2025-0995Same product: Google Chrome
CVE-2025-2136Same product: Google Chrome
CVE-2026-6359Same product: Google Chrome
CVE-2025-1919Same product: Google Chrome
CVE-2025-0291Same product: Google Chrome
CVE-2025-1006Same product: Google Chrome
CVE-2026-6361Same product: Google Chrome

References