CVE-2025-1915
Published: 05 March 2025
Summary
CVE-2025-1915 is a high-severity Path Traversal (CWE-22) vulnerability in Google Chrome. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 10.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely patching of affected Chrome versions prior to 134.0.6998.35 to fix the improper pathname limitation in DevTools.
Prevents exploitation by prohibiting the installation of unapproved user-installed software, including malicious Chrome extensions needed to trigger the DevTools path traversal.
Employs malicious code protection at system entry points to identify and block crafted Chrome extensions that exploit the DevTools file access bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal flaw directly enables unauthorized access to restricted local files on the system (T1005 Data from Local System). Exploitation requires the user to install and execute a malicious Chrome extension file (T1204.002 Malicious File).
NVD Description
Improper Limitation of a Pathname to a Restricted Directory in DevTools in Google Chrome on Windows prior to 134.0.6998.35 allowed an attacker who convinced a user to install a malicious extension to bypass file access restrictions via a crafted Chrome…
more
Extension. (Chromium security severity: Medium)
Deeper analysisAI
CVE-2025-1915, published on 2025-03-05, is an Improper Limitation of a Pathname to a Restricted Directory vulnerability (CWE-22) in DevTools within Google Chrome on Windows versions prior to 134.0.6998.35. This flaw enables attackers to bypass file access restrictions through a crafted Chrome Extension. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), classified as High severity, though Chromium rates it as Medium.
Exploitation requires an attacker to convince a targeted user to install a malicious Chrome extension, involving network access with low attack complexity and no required privileges, but necessitating user interaction. Upon success, the attacker achieves high impacts on confidentiality and integrity, allowing unauthorized access to restricted files, while availability remains unaffected.
Google's stable channel update for desktop, detailed at chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop.html, patches this issue in Chrome version 134.0.6998.35. Additional technical details are available in the Chromium issue tracker at issues.chromium.org/issues/391114799. Mitigation involves updating affected Windows installations to the latest stable Chrome release.
Details
- CWE(s)