ComponentInstaller Modification in Google ChromeOS Affects Chromebooks
CVE-2025-1704

6.5MEDIUM

Key Information:

Vendor
Google
Status
Chromeos
Vendor
CVE Published:
16 April 2025

Summary

A modification in the ComponentInstaller of Google ChromeOS 124.0.6367.34 enables enrolled users with local access to circumvent device management protocols. This vulnerability allows attackers to unenroll devices and intercept critical device management requests by loading components from the unencrypted stateful partition. This poses a significant risk for Chromebooks, as it could facilitate unauthorized control over device configurations and management.

Affected Version(s)

ChromeOS 124.0.6367.34

References

https://issuetracker.google.com/issues/359915523
https://issues.chromium.org/issues/b/359915523

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.