cbcvebase.
CVE-2025-5959
published 2025-06-11

CVE-2025-5959: Type Confusion in V8 in Google Chrome prior to 137.0.7151.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page…

PriorityP260high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
10.17%
95.1th percentile
Type Confusion in V8 in Google Chrome prior to 137.0.7151.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Affected

9 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 137.0.7151.103-1~deb12u1137.0.7151.103-1~deb12u1
chromiumchromium>= 0 < 137.0.7151.103-1137.0.7151.103-1
chromiumchromium>= 0 < 137.0.7151.103-1137.0.7151.103-1
debianchromium< chromium 137.0.7151.103-1~deb12u1 (bookworm)chromium 137.0.7151.103-1~deb12u1 (bookworm)
googlechrome< 137.0.7151.103137.0.7151.103
googlechrome>= 137.0.7151.103 < 137.0.7151.103137.0.7151.103
googlechrome_chrome
msrcmicrosoft_edge
paloaltoprisma_browser

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-5959 is a Type Confusion vulnerability in the V8 JavaScript/WebAssembly engine; exploitation is triggered via a crafted HTML page delivered remotely, enabling RCE inside the Chrome sandbox. Monitor for suspicious headless Chromium browser activity spawned by Grafana Image Renderer or Synthetic Monitoring Agent processes.
  • The vulnerability was demonstrated as exploitable in Grafana Image Renderer (versions prior to 3.12.9) and Grafana Synthetic Monitoring Agent (versions before 0.38.3), both of which embed a headless Chromium browser. Alert on these specific component versions processing untrusted HTML content.
  • The vulnerability was reported as part of TyphoonPWN 2025 by Seunghyun Lee, indicating a known public proof-of-concept context exists. Prioritize detection of V8 type confusion exploitation patterns in Chrome/Chromium 137 prior to version 137.0.7151.103.
  • ·Grafana Cloud and Azure Managed Grafana instances have already been patched server-side; only self-hosted deployments of Grafana Image Renderer and Synthetic Monitoring Agent require manual action.
  • ·Debian Bullseye (oldoldstable) remains unpatched/open for this CVE as of the time of reporting; environments running Chromium on Bullseye should be treated as vulnerable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.