CVE-2025-6557UI Misrepresentation / Clickjacking in Google Chrome

CWE-1021UI Misrepresentation / Clickjacking7 documents7 sources
Severity
5.4MEDIUMNVD
EPSS
0.1%
top 75.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Google ChromeChromiumPaloalto Prisma Browser
Timeline
PublishedJun 24
Latest updateJul 9

Description

Insufficient data validation in DevTools in Google Chrome on Windows prior to 138.0.7204.49 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages4 packages

CVEListV5google/chrome138.0.7204.49138.0.7204.49
NVDgoogle/chrome< 138.0.7204.49
Debianchromium/chromium< 138.0.7204.49-1~deb12u1+2

🔴Vulnerability Details

3
GHSA
GHSA-35qc-7cp5-9q9m: Insufficient data validation in DevTools in Google Chrome on Windows prior to 1382025-06-24
CVEList
CVE-2025-6557: Insufficient data validation in DevTools in Google Chrome on Windows prior to 1382025-06-24
OSV
CVE-2025-6557: Insufficient data validation in DevTools in Google Chrome on Windows prior to 1382025-06-24

📋Vendor Advisories

3
Palo Alto
PAN-SA-2025-0013 Chromium: Monthly Vulnerability Update (July 2025)2025-07-09
Microsoft
Chromium: CVE-2025-6557 Insufficient data validation in DevTools2025-06-10
Debian
CVE-2025-6557: chromium - Insufficient data validation in DevTools in Google Chrome on Windows prior to 13...2025
CVE-2025-6557 — UI Misrepresentation / Clickjacking | cvebase