Cyber Resilience

CVE-2025-5419

HighCISA KEVActive ExploitationEUVD Exploited

Published: 03 June 2025

Published
03 June 2025
Modified
24 October 2025
KEV Added
05 June 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0383 88.4th percentile
Risk Priority 40 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-5419 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 11.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-5419 is an out-of-bounds read and write vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 137.0.7151.68. The flaw, assigned Chromium security severity High and mapped to CWE-125 and CWE-787, can result in heap corruption when processing a specially crafted HTML page.

A remote attacker can exploit the issue by convincing a user to visit a malicious web page, achieving high impact on confidentiality, integrity, and availability without requiring authentication or elevated privileges.

Advisories from the Chrome release notes and Microsoft Security Response Center recommend immediate upgrade to version 137.0.7151.68 or later. The vulnerability is also tracked in the CISA Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

EPSS remains low and unchanged at a peak of 0.0383 with no material increase after disclosure.

EU & UK References

Vulnerability details

Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
05 June 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 137.0.7151.68
microsoft
edge chromium
≤ 137.0.3296.62

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor patch (Chrome 137.0.7151.68) that eliminates the out-of-bounds read/write flaw in V8.

prevent

Enforces memory-protection mechanisms that block or contain the heap corruption resulting from the CWE-125/CWE-787 violation.

SC-18 Mobile Code partial match
prevent

Restricts or sanitizes untrusted mobile code (JavaScript) that an attacker uses to trigger the crafted HTML page against the vulnerable V8 engine.

References