Inappropriate Access Control Vulnerability in Google Chrome
CVE-2025-4052

9.8CRITICAL

Key Information:

Vendor

Google

Status
Vendor
CVE Published:
5 May 2025

What is CVE-2025-4052?

CVE-2025-4052 is a vulnerability in Google Chrome, specifically relating to inappropriate access control within its DevTools component. This vulnerability affects versions of Chrome prior to 136.0.7103.59. By exploiting this flaw, a remote attacker could potentially bypass discretionary access controls when a user interacts with a specially crafted HTML page in a certain manner. Such a capability could allow malicious actors to manipulate user interactions, posing risks to the confidentiality and integrity of data.

Technical Details

The issue revolves around a specific implementation in Google Chrome's DevTools that fails to enforce adequate access control measures. Attackers could leverage social engineering tactics to entice users into performing specific UI gestures, thereby enabling access to restricted functionalities or data. The vulnerability stems from flaws in how certain user inputs are handled, which can be exploited through crafted web content.

Potential Impact of CVE-2025-4052

  1. Bypass of Access Controls: This vulnerability allows for the potential circumvention of discretionary access control mechanisms, which could enable unauthorized actions within the browser.

  2. Data Integrity Risks: With the capability to bypass access restrictions, attackers could manipulate or compromise sensitive data, posing significant risks to both personal and organizational information.

  3. Increased Attack Surface: The existence of such a vulnerability in a widely-used browser like Google Chrome broadens the potential attack vectors available to cybercriminals, heightening overall cybersecurity threats for users and organizations reliant on this software.

Affected Version(s)

Chrome 136.0.7103.59

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.