cbcvebase.
CVE-2025-13223
published 2025-11-17

CVE-2025-13223: Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page…

PriorityP187high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-12-10
Exploited in the wild
EPSS
4.83%
90.9th percentile
Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Affected

8 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 142.0.7444.175-1~deb12u1142.0.7444.175-1~deb12u1
chromiumchromium>= 0 < 142.0.7444.175-1~deb13u1142.0.7444.175-1~deb13u1
chromiumchromium>= 0 < 142.0.7444.175-1142.0.7444.175-1
debianchromium< chromium 142.0.7444.175-1~deb12u1 (bookworm)chromium 142.0.7444.175-1~deb12u1 (bookworm)
googlechrome< 142.0.7444.175142.0.7444.175
googlechrome_chrome
msrcmicrosoft_edge
paloaltoprisma_browser

Detection & IOCsextracted from sources · hover to see the quote

versionGoogle Chrome < 142.0.7444.175
  • CVE-2025-13223 is actively exploited in the wild via crafted HTML pages triggering V8 type confusion leading to heap corruption; monitor for exploitation attempts delivered through web browsing.
  • The vulnerability is exploitable remotely via a crafted HTML page — monitor for suspicious or anomalous Chrome/Chromium renderer process crashes or heap corruption signals.
  • CISA has added this to the Known Exploited Vulnerabilities catalog with a remediation due date of 2025-12-10; treat any unpatched Chrome/Chromium V8 instance as actively at risk.
  • A public proof-of-concept and active exploitation have been reported; prioritize detection of Chrome versions prior to 142.0.7444.175 in the environment.
  • ·The fix is confirmed in Chrome stable channel 142.0.7444.175 and later; Debian bullseye remains unresolved/open as of the tracker.
  • ·Microsoft Edge (Chromium-based) is also affected as it ingests Chromium; the patched Edge version is 142.0.3595.90.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vulncheck8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.