CVE-2025-6554
Published: 30 June 2025
Summary
CVE-2025-6554 is a high-severity Type Confusion (CWE-843) vulnerability in Google Chrome. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 18.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-18 (Mobile Code).
Deeper analysis
CVE-2025-6554 is a type confusion vulnerability, tracked under CWE-843, in the V8 JavaScript engine within Google Chrome versions prior to 138.0.7204.96. The flaw permits arbitrary memory read and write operations when a victim visits a specially crafted HTML page, carrying a CVSS 3.1 base score of 8.1 reflecting network attack vector, low complexity, and high impact on confidentiality and integrity.
A remote attacker can exploit the issue by serving malicious web content that triggers the type confusion during JavaScript execution. Successful exploitation grants the attacker the ability to read or corrupt arbitrary memory within the renderer process, potentially leading to code execution or further sandbox escapes, although user interaction is required to load the crafted page.
Chrome stable channel updates released on 30 June 2025 address the vulnerability by advancing the browser to version 138.0.7204.96 or later. The issue is also listed in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation and underscoring the need for prompt patching across enterprise fleets. The associated EPSS score has remained flat at 0.0158 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19675
Vulnerability details
Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
- CWE(s)
- KEV Date Added
- 02 July 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of the Chrome 138.0.7204.96 update that eliminates the V8 type-confusion flaw.
Restricts or sandbox-executes untrusted JavaScript (mobile code) delivered via crafted HTML pages, limiting exploitation of the V8 engine.
Enforces memory-protection safeguards that block the arbitrary read/write primitive resulting from the type-confusion corruption.