CVE-2025-2137
Published: 10 March 2025
Summary
CVE-2025-2137 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 44.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the out-of-bounds read vulnerability in Chrome's V8 engine by requiring timely identification, reporting, and patching to version 134.0.6998.88 or later.
Mitigates exploitation of the out-of-bounds memory access via controls like address space layout randomization and data execution prevention that protect against memory corruption in the browser.
Detects the presence of vulnerable Chrome versions prior to 134.0.6998.88 through vulnerability scanning, enabling proactive flaw remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes an out-of-bounds read in Chrome's V8 engine triggered by a crafted HTML page on a malicious website, directly enabling drive-by compromise via user-visited malicious content and exploitation for client execution.
NVD Description
Out of bounds read in V8 in Google Chrome prior to 134.0.6998.88 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium)
Deeper analysisAI
CVE-2025-2137 is an out-of-bounds read vulnerability in the V8 JavaScript and WebAssembly engine within Google Chrome versions prior to 134.0.6998.88. This flaw, classified under CWE-125, enables out-of-bounds memory access when processing a crafted HTML page. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is rated Medium severity by Chromium security standards.
A remote attacker can exploit this vulnerability by tricking a user into visiting a malicious website containing the crafted HTML page, which requires user interaction but no special privileges. Successful exploitation allows arbitrary out-of-bounds memory access, potentially leading to high-impact consequences such as disclosure of sensitive information, code execution, or system crashes affecting confidentiality, integrity, and availability.
Google's stable channel update for desktop, detailed at https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_10.html, addresses the vulnerability by upgrading Chrome to version 134.0.6998.88. Additional details are tracked in the Chromium issue at https://issues.chromium.org/issues/398999390. Security practitioners should prioritize updating affected Chrome installations to mitigate the risk.
Details
- CWE(s)