Google has disclosed a critical zero-day vulnerability in the V8 JavaScript engine used by Chrome, tracked as CVE-2025-5419.
Before a patch could be rolled out to all users, proof-of-concept (PoC) exploit code had been published, and active exploitation had been observed in targeted campaigns.
Key Takeaways
1. CVE-2025-5419 lets attackers exploit V8 OOB read/write for remote code execution.
2. Public PoC shows array backing‐store corruption and function‐pointer hijack; real‐world attacks reported.
3. Update Chrome, block exploit domains, or disable JIT on untrusted sites.
Security teams and administrators are urged to upgrade to Chrome 137.0.7151.68 or later immediately to mitigate ongoing attacks.
Out-of-Bounds (OOB) Flaw
CVE-2025-5419 is an out-of-bounds (OOB) read and write flaw in V8’s array handling routines.
An attacker can craft a malicious HTML page embedding specially structured JavaScript arrays that trigger heap corruption when parsed by the engine.
This corruption allows arbitrary read and write primitives within the renderer process, paving the way for remote code execution under the context of the logged-in user.
Exploit chains typically begin with the OOB primitive to leak addresses of critical V8 objects, then escalate to an arbitrary write to overwrite function pointers.
Once exploited, the attacker can drop a second-stage payload or deliver ransomware, keyloggers, or other malware.
| Risk Factors | Details |
| Affected Products | Google Chrome prior to 137.0.7151.68 |
| Impact | Arbitrary code execution |
| Exploit Prerequisites | Victim must visit a malicious webpage |
| CVSS 3.1 Score | 9.8 (Critical) |
PoC Exploit
A PoC script has been published by security researcher mistymntncop on GitHub. The key snippet demonstrating the OOB write appears as follows:
This code corrupts the backing store of arr, enabling controlled overwrites of adjacent memory. The PoC then leverages these primitives to hijack the V8 function dispatch table, achieving arbitrary code execution in the renderer.
Active exploitation in the wild has been reported, with targeted spear-phishing campaigns luring victims to compromised sites. Organizations should:
- Ensure all endpoints run version 137.0.7151.68 or newer.
- Block known exploit domains and monitor unusual V8 process behavior.
- Look for JavaScript exceptions or suspicious heap layout anomalies.
Google’s official patch addresses the root cause by correcting the bounds check logic in V8’s array implementation.
With the rapid publication of PoC code and confirmed in-the-wild attacks, defenders must act swiftly to eliminate this high-severity threat.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
