Sandbox Escape Vulnerability in Mojo of Google Chrome
CVE-2025-2783
Key Information:
Badges
What is CVE-2025-2783?
CVE-2025-2783 is a high-severity vulnerability found in the Mojo component of Google Chrome, specifically affecting versions prior to 134.0.6998.177 for Windows. This flaw allows remote attackers to exploit a sandbox escape through malicious files, undermining the security intended to isolate web content and applications from the rest of the operating system. Given that Google Chrome is widely used for web browsing and online activities, this vulnerability poses a significant risk for organizations, as it can lead to unauthorized access to sensitive information and potential system compromise.
Technical Details
The vulnerability stems from an incorrect handling within the Mojo component of Google Chrome. It facilitates a sandbox escape, where attackers can circumvent the security model that confines processes to a controlled environment. Maliciously crafted files can trigger this vulnerability, enabling attackers to execute code outside the sandbox, thereby gaining broader access to the system.
Potential Impact of CVE-2025-2783
-
Unauthorized Access: Successful exploitation can allow attackers to gain unauthorized access to the machine, potentially granting them the ability to execute malicious actions and exfiltrate sensitive data.
-
System Compromise: The vulnerability may lead to full system compromise, where attackers can install additional malware, create backdoors, or manipulate system configurations to maintain persistent access.
-
Data Breach Risks: Organizations could face significant data breaches as a result of unauthorized data access, leading to potential legal implications, loss of customer trust, and financial consequences.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Chrome 134.0.6998.177
Get notified when SecurityVulnerability.io launches alerting 🔔
Well keep you posted 📧
News Articles
The Hacker NewsCVE-2025-2783⚡ Weekly Recap: Chrome 0-Day, IngressNightmare, Solar Bugs, DNS Tactics, and More
Google patched a Chrome 0-day (CVE-2025-2783) used in live attacks on Russian targets via phishing.
2 days ago
CISA (.gov)CVE-2025-2783CISA Adds One Known Exploited Vulnerability to Catalog | CISA
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation
5 days ago
Help Net SecurityWeek in review: Chrome sandbox escape 0-day fixed, Microsoft adds new AI agents to Security Copilot - Help Net Security
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft’s new AI agents take on phishing, patching,
5 days ago
References
EPSS Score
13% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 💰
Used in Ransomware
- 👾
Exploit known to exist
- 🦅
CISA Reported
- 📈
Vulnerability started trending
Vulnerability published
- 📰
First article discovered
Vulnerability Reserved