CVE-2025-13230
Published: 18 November 2025
Summary
CVE-2025-13230 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 29.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the type confusion vulnerability in Chrome's V8 engine by requiring timely identification, reporting, and correction via vendor patches such as version 142.0.7444.59.
Scans systems to identify vulnerable Chrome versions affected by CVE-2025-13230, enabling proactive patching before remote exploitation via crafted HTML pages.
Implements memory protections like ASLR and DEP to minimize the impact of heap corruption from V8 type confusion exploits in the browser renderer process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Type confusion in V8 engine exploited via crafted HTML page on malicious website enables drive-by compromise (T1189) and exploitation for client execution (T1203) in the browser renderer process.
NVD Description
Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
Deeper analysisAI
CVE-2025-13230 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 142.0.7444.59. This flaw, classified under CWE-843, enables a remote attacker to potentially trigger heap corruption through a specially crafted HTML page. Chromium rates the issue as high severity, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its potential for significant impact on confidentiality, integrity, and availability.
A remote attacker can exploit this vulnerability by enticing a user to visit a malicious website containing the crafted HTML page, requiring user interaction such as loading or rendering the page. No special privileges are needed, and the low attack complexity makes it accessible to attackers with basic web development skills. Successful exploitation could lead to heap corruption, potentially allowing arbitrary code execution within the browser's renderer process, compromising the victim's system.
Mitigation is addressed in the stable channel update for Google Chrome desktop, detailed in the Chrome Releases blog post at https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html, which includes the fix in version 142.0.7444.59. Additional technical details are available in the Chromium issue tracker at https://issues.chromium.org/issues/446124892. Security practitioners should ensure users update to Chrome 142.0.7444.59 or later and advise against visiting untrusted websites.
Details
- CWE(s)