cbcvebase.
CVE-2025-2783
published 2025-03-26

CVE-2025-2783: Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a…

PriorityP182high8.3CVSS 3.1
AVNACHPRNUIRSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-04-17
Exploited in the wild
EPSS
8.40%
94.3th percentile
Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High)

Affected

12 ranges
VendorProductVersion rangeFixed in
debianchromium
debianfirefox
debianfirefox-esr
googlechrome< 134.0.6998.177134.0.6998.177
googlechrome_chrome
mozillafirefox< 136.0.4136.0.4
mozillafirefox< 115.21.1115.21.1
mozillafirefox
mozillafirefox>= 128.1.0 < 128.8.1128.8.1
msrcmicrosoft_edge
paloaltoprisma_access
paloaltoprisma_browser

Detection & IOCsextracted from sources · hover to see the quote

path%localappdata%\Microsoft\Windows\Explorer\iconcache_.dll
registryHKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
commandconsole.debug(0x42, shellcode);
  • Sandbox escape is triggered via a JavaScript call to console.debug(0x42, shellcode) — monitor for this pattern in browser process telemetry or JS engine hooks.
  • The exploit relays a GetCurrentThread pseudo-handle (-2) via ipcz RelayMessage to obtain a real browser-process thread handle — monitor for DuplicateHandle calls where the source handle value is -2 (0xFFFFFFFFFFFFFFFE) originating from a renderer process.
  • Post-exploitation persistence uses COM hijacking: a malicious DLL is written to %localappdata%\Microsoft\Windows\Explorer\iconcache_.dll and registered under HKCR\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32.
  • The exploit hooks ipcz::NodeLink::OnAcceptRelayedMessage and v8_inspector::V8Console::Debug — presence of statically compiled Mojo/ipcz libraries in a renderer process is a strong indicator of exploitation.
  • The malicious site fingerprints the OS and only serves the payload to Windows users — non-Windows requests receive a message prompting the user to retry from Windows. Detect server-side OS filtering in HTTP responses as an evasion indicator.
  • The validator uses the WebGPU API to compute SHA-256 of server-supplied random data before delivering the exploit — anomalous WebGPU usage in a browser tab loading external JS (bootstrap.bundle.min.js, .woff2 font files) may indicate exploit staging.
  • The exploit payload is hidden inside requests to bootstrap.bundle.min.js and .woff2 font files, decrypted with an AES-GCM key exchanged via ECDH — inspect anomalous font/JS responses for encrypted binary content.
  • ·Malicious links were personalized and extremely short-lived; by the time of analysis the exploit was no longer served at the URL — only artifacts from the first infection wave were available for analysis.

CVSS provenance

nvdv3.18.3HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
ghsa8.3HIGH
osv8.3HIGH
vulncheck8.3HIGH
cisa8.3HIGH
vendor_debian8.3LOW
vendor_msrc8.3HIGH
vendor_redhat8.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.