Cyber Resilience

CVE-2025-0447

HighPublic PoC

Published: 15 January 2025

Published
15 January 2025
Modified
21 April 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0086 75.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0447 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 24.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).

Deeper analysis

CVE-2025-0447 involves an inappropriate implementation in the Navigation component of Google Chrome prior to version 132.0.6834.83. This flaw allows a remote attacker to achieve privilege escalation via a crafted HTML page. The vulnerability is associated with CWE-79 and carries a Chromium security severity rating of Low, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote attacker without privileges can exploit the issue by luring a user to interact with a malicious site hosting the crafted HTML page, requiring user interaction such as clicking or navigating. Successful exploitation enables privilege escalation, resulting in high impacts to confidentiality, integrity, and availability.

Google addressed the vulnerability in the stable channel update for desktop Chrome 132.0.6834.83, as announced at https://chromereleases.googleblog.com/2025/01/stable-channel-update-for-desktop_14.html. Further technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/375550814.

EU & UK References

Vulnerability details

Inappropriate implementation in Navigation in Google Chrome prior to 132.0.6834.83 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Low)

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Description explicitly states remote privilege escalation via crafted HTML page in browser navigation component, directly mapping to exploitation for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-0443Same product: Google Chrome
CVE-2026-9916Same product: Google Chrome
CVE-2026-8575Same product: Google Chrome
CVE-2026-9914Same product: Google Chrome
CVE-2026-9915Same product: Google Chrome
CVE-2026-9900Same product: Google Chrome
CVE-2026-9893Same product: Google Chrome
CVE-2026-9902Same product: Google Chrome
CVE-2026-9895Same product: Google Chrome
CVE-2026-9906Same product: Google Chrome

Affected Assets

google
chrome
≤ 132.0.6834.83

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation ensures patching of the specific inappropriate implementation in Chrome's Navigation component, directly eliminating the privilege escalation vulnerability.

prevent

Information input validation addresses the CWE-79-related failure in properly handling crafted HTML pages during navigation, preventing exploitation.

prevent

Process isolation enforces sandboxing in Chrome's multi-process architecture, limiting the impact of privilege escalation from compromised navigation handling.

References