CVE-2025-13634 — Authentication Bypass by Spoofing in Google Chrome

CWE-290 — Authentication Bypass by Spoofing7 documents7 sources

Severity

4.4MEDIUMNVD

EPSS

0.0%

top 99.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Chrome Chromium

Timeline

PublishedDec 2

Latest updateDec 9

Description

Inappropriate implementation in Downloads in Google Chrome on Windows prior to 143.0.7499.41 allowed a local attacker to bypass mark of the web via a crafted HTML page. (Chromium security severity: Medium)

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 1.8 | Impact: 2.5

Affected Packages3 packages

▶CVEListV5google/chrome143.0.7499.41 — 143.0.7499.41

▶NVDgoogle/chrome< 143.0.7499.40

▶Debianchromium/chromium< 143.0.7499.40-1~deb12u1+2

🔴Vulnerability Details

OSV

CVE-2025-13634: Inappropriate implementation in Downloads in Google Chrome on Windows prior to 143↗2025-12-02

▶

CVEList

CVE-2025-13634: Inappropriate implementation in Downloads in Google Chrome on Windows prior to 143↗2025-12-02

▶

GHSA

GHSA-h5pr-3m5w-7gm8: Inappropriate implementation in Downloads in Google Chrome on Windows prior to 143↗2025-12-02

▶

📋Vendor Advisories

Microsoft

Chromium: CVE-2025-13634 Inappropriate implementation in Downloads↗2025-12-09

▶

Debian

CVE-2025-13634: chromium - Inappropriate implementation in Downloads in Google Chrome on Windows prior to 1...↗2025

▶

🕵️Threat Intelligence

Bleepingcomputer

Microsoft December 2025 Patch Tuesday fixes 3 zero-days, 57 flaws↗2025-12-09

▶