Cyber Resilience

CVE-2025-6554

HighCISA KEVActive ExploitationEUVD Exploited

Published: 30 June 2025

Published
30 June 2025
Modified
24 October 2025
KEV Added
02 July 2025
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0158 82.0th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6554 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 18.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).

Deeper analysis

CVE-2025-6554 is a type confusion vulnerability, tracked under CWE-843, in the V8 JavaScript engine within Google Chrome versions prior to 138.0.7204.96. The flaw permits arbitrary memory read and write operations when a victim visits a specially crafted HTML page, carrying a CVSS 3.1 base score of 8.1 reflecting network attack vector, low complexity, and high impact on confidentiality and integrity.

A remote attacker can exploit the issue by serving malicious web content that triggers the type confusion during JavaScript execution. Successful exploitation grants the attacker the ability to read or corrupt arbitrary memory within the renderer process, potentially leading to code execution or further sandbox escapes, although user interaction is required to load the crafted page.

Chrome stable channel updates released on 30 June 2025 address the vulnerability by advancing the browser to version 138.0.7204.96 or later. The issue is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation and underscoring the need for prompt patching across enterprise fleets. The associated EPSS score has remained flat at 0.0158 with no material increase since disclosure.

EU & UK References

Vulnerability details

Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

CWE(s)
KEV Date Added
02 July 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

google
chrome
≤ 138.0.7204.96 · ≤ 138.0.7204.92

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the Chrome 138.0.7204.96 update that eliminates the V8 type-confusion flaw.

SC-18 Mobile Code partial match
prevent

Restricts or sandbox-executes untrusted JavaScript (mobile code) delivered via crafted HTML pages, limiting exploitation of the V8 engine.

prevent

Enforces memory-protection safeguards that block the arbitrary read/write primitive resulting from the type-confusion corruption.

References