CVE-2025-5419
Published: 03 June 2025
Summary
CVE-2025-5419 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Google Chrome. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 11.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-5419 is an out-of-bounds read and write vulnerability in the V8 JavaScript engine within Google Chrome versions prior to 137.0.7151.68. The flaw, assigned Chromium security severity High and mapped to CWE-125 and CWE-787, can result in heap corruption when processing a specially crafted HTML page.
A remote attacker can exploit the issue by convincing a user to visit a malicious web page, achieving high impact on confidentiality, integrity, and availability without requiring authentication or elevated privileges.
Advisories from the Chrome release notes and Microsoft Security Response Center recommend immediate upgrade to version 137.0.7151.68 or later. The vulnerability is also tracked in the CISA Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
EPSS remains low and unchanged at a peak of 0.0383 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16695
Vulnerability details
Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 05 June 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of the vendor patch (Chrome 137.0.7151.68) that eliminates the out-of-bounds read/write flaw in V8.
Enforces memory-protection mechanisms that block or contain the heap corruption resulting from the CWE-125/CWE-787 violation.
Restricts or sanitizes untrusted mobile code (JavaScript) that an attacker uses to trigger the crafted HTML page against the vulnerable V8 engine.