1. Home
  2. Vulnerabilities
  3. CVE-2025-13223
Known Exploited Vulnerability
8.8
HIGH CVSS 3.1
CVE-2025-13223
Google Chromium V8 Type Confusion Vulnerability - [Actively Exploited]
Description

Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

INFO

Published Date :

Nov. 17, 2025, 11:15 p.m.

Last Modified :

Dec. 2, 2025, 2:33 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption.

Required Action :

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Notes :

https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html ; https://nvd.nist.gov/vuln/detail/CVE-2025-13223

Affected Products

The following products are affected by CVE-2025-13223 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Microsoft windows
2 Microsoft edge_chromium
1 Linux linux_kernel
1 Google chrome
1 Apple macos
: Total Affected Vendor : 4 | Products : 5
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH 134c704f-9b21-4f2e-91b3-4a467353bcc0
Solution
Update Google Chrome to patch heap corruption vulnerabilities.
  • Update Google Chrome to version 142.0.7444.175 or later.
  • Avoid visiting untrusted websites.
Public PoC/Exploit Available at Github

CVE-2025-13223 has a 4 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-13223.

URL Resource
https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html Release Notes Vendor Advisory
https://issues.chromium.org/issues/460017370 Issue Tracking Permissions Required
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-13223 US Government Resource
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-13223 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2025-13223 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
Darwin72820/CVE-2025-13223

None

Updated: 1 week, 5 days ago
1 stars 0 fork 0 watcher
Born at : Nov. 24, 2025, 7:41 p.m. This repo has been linked 1 different CVEs too.
Profile Photo
w4zu/Debian_security

DSA and DLA for Debian last 14 days

Python

Updated: 1 week, 5 days ago
0 stars 0 fork 0 watcher
Born at : Feb. 12, 2025, 2:08 p.m. This repo has been linked 165 different CVEs too.
Profile Photo
aws/code-editor

Code Editor, based on Code-OSS

TypeScript HTML Shell

Updated: 1 week, 6 days ago
20 stars 12 fork 12 watcher
Born at : Nov. 4, 2024, 3:10 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
DevGreick/devgreick

None

Python

Updated: 1 week, 5 days ago
1 stars 0 fork 0 watcher
Born at : Oct. 29, 2024, 8:10 p.m. This repo has been linked 10 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-13223 vulnerability anywhere in the article.

  • Daily CyberSecurity
The PDF Trap: Critical Vulnerability (CVE-2025-66516, CVSS 10.0) Hits Apache Tika Core

The Apache Tika toolkit, the industry standard for detecting and extracting metadata from over a thousand file types, has issued a maximum-severity alert. A critical XML External Entity (XXE) vulnerab ... Read more

Published Date: Dec 05, 2025 (3 days, 1 hour ago)
  • Daily CyberSecurity
“React2Shell” Storm: China-Nexus Groups Weaponize Critical React Flaw Hours After Disclosure

Only hours after the public disclosure of a critical vulnerability in the React ecosystem, state-sponsored cyber espionage groups have already launched active exploitation campaigns. Amazon threat int ... Read more

Published Date: Dec 05, 2025 (3 days, 1 hour ago)
  • Daily CyberSecurity
High-Severity Splunk Flaw Allows Local Privilege Escalation via Incorrect File Permissions on Windows

Splunk administrators managing Windows environments are being urged to patch immediately following the discovery of two high-severity vulnerabilities affecting both the Enterprise platform and Univers ... Read more

Published Date: Dec 05, 2025 (3 days, 2 hours ago)
  • Daily CyberSecurity
High-Severity Cacti Flaw (CVE-2025-66399) Risks Remote Code Execution via SNMP Community String Injection

Image: Cacti A high-severity security flaw has been uncovered in Cacti, the popular open-source network graphing solution. The vulnerability, tracked as CVE-2025-66399, exposes Cacti installations to ... Read more

Published Date: Dec 05, 2025 (3 days, 3 hours ago)
  • Daily CyberSecurity
NVIDIA Triton Server Patches Two High-Severity DoS Flaws, Risking Critical AI Inference Disruption

NVIDIA has issued a security bulletin regarding its Triton Inference Server, a cornerstone tool used by MLOps teams globally to deploy AI models at scale. The company has identified two high-severity ... Read more

Published Date: Dec 05, 2025 (3 days, 3 hours ago)
  • Daily CyberSecurity
AWS Trainium Chip Business Hits Multi-Billion Revenue, Challenging NVIDIA’s Pricing

Under the near-monopoly that NVIDIA holds in the AI acceleration market, Amazon has unmistakably carved out a path of its own. According to CEO Andy Jassy, AWS’s in-house AI compute chip business buil ... Read more

Published Date: Dec 04, 2025 (3 days, 18 hours ago)
  • Daily CyberSecurity
Maximum Severity Alert: Critical RCE Flaw Hits Next.js (CVE-2025-66478, CVSS 10.0)

Developers using the modern stack of Next.js and React are facing a “red alert” situation today. A maximum-severity security flaw has been uncovered in the React Server Components (RSC) protocol, putt ... Read more

Published Date: Dec 04, 2025 (4 days ago)
  • Daily CyberSecurity
Critical WordPress Flaw (CVE-2025-6389) Under Active Exploitation Allows Unauthenticated RCE

A critical Remote Code Execution (RCE) vulnerability has been discovered in the Sneeit Framework, a core plugin bundled with multiple premium themes. While the patch was quietly released in August, th ... Read more

Published Date: Dec 04, 2025 (4 days ago)
  • Daily CyberSecurity
Catastrophic React Flaw (CVE-2025-55182, CVSS 10.0) Allows Unauthenticated RCE on Next.js and Server Components

The React Team has issued an emergency security advisory following the discovery of a catastrophic vulnerability affecting the modern React ecosystem. The flaw, which carries a maximum severity rating ... Read more

Published Date: Dec 04, 2025 (4 days, 1 hour ago)
  • Daily CyberSecurity
High-Severity Vim for Windows Flaw (CVE-2025-66476) Risks Arbitrary Code Execution from Compromised Folders

Ideally, text editors are passive tools—you open a file, edit it, and save it. But a new high-severity vulnerability in Vim for Windows turns that assumption on its head, potentially allowing attacker ... Read more

Published Date: Dec 04, 2025 (4 days, 3 hours ago)
  • Daily CyberSecurity
AWS Frontier Agents: Autonomous AI ‘Team Members’ Take Over Dev, Security, and Ops

At re:Invent 2025, AWS unveiled a transformative innovation poised to redefine the software-development lifecycle — Frontier Agents. This new class of AI agents is engineered to be autonomous, scalabl ... Read more

Published Date: Dec 04, 2025 (4 days, 3 hours ago)
  • Daily CyberSecurity
AWS AI Factories: Bringing Full Cloud AI Infrastructure On-Prem for Data Sovereignty

As AI models swell to ever-greater scales, governments and large enterprises are placing unprecedented emphasis on data sovereignty and regulatory compliance. At re:Invent 2025, AWS unveiled its new A ... Read more

Published Date: Dec 03, 2025 (4 days, 19 hours ago)
  • Daily CyberSecurity
Microsoft Update Breaks Dark Mode: File Explorer Now Flashes White on Launch

Recently, Microsoft released the preview update KB5070311 for Windows 11 version 24H2/252 — only for users who manually check for updates. Almost immediately, the update was found to introduce a flaw ... Read more

Published Date: Dec 03, 2025 (4 days, 19 hours ago)
  • Daily CyberSecurity
India Mandates SIM-Binding: WhatsApp and Telegram Users Must Re-verify Every 6 Hours

India’s Department of Telecommunications has issued a new directive to both domestic and international developers of major instant-messaging platforms, requiring that users must not be able to access ... Read more

Published Date: Dec 03, 2025 (4 days, 20 hours ago)
  • Daily CyberSecurity
CISA Warns: Critical Longwatch RCE Flaw (CVE-2025-13658, CVSS 9.8) Allows Unauthenticated SYSTEM Takeover of OT Surveillance

A critical security vulnerability has been identified in the Longwatch video surveillance and monitoring system developed by Industrial Video & Control (IV&C), posing a severe risk to industrial opera ... Read more

Published Date: Dec 03, 2025 (5 days ago)
  • Daily CyberSecurity
Chrome 143 Stable Fixes 13 Flaws: High-Severity V8 Type Confusion Earns $11,000 Bounty

Google has officially promoted Chrome 143 to the stable channel for Windows, macOS, and Linux, rolling out a critical security update that addresses 13 vulnerabilities. The release, versioned as 143.0 ... Read more

Published Date: Dec 03, 2025 (5 days ago)
  • Daily CyberSecurity
Django Flaw (CVE-2025-13372) Allows SQL Injection in PostgreSQL FilteredRelation

The maintainers of Django, the high-level Python web framework that powers some of the internet’s largest sites, have released an important security update addressing two distinct vulnerabilities. The ... Read more

Published Date: Dec 03, 2025 (5 days ago)
  • Daily CyberSecurity
CISA Warns: Critical Iskra iHUB Flaw (CVE-2025-13510) Allows Unauthenticated Smart Metering Takeover

A critical security vacuum has been discovered in smart metering infrastructure, potentially leaving utility networks exposed to remote takeover. The Cybersecurity and Infrastructure Security Agency ( ... Read more

Published Date: Dec 03, 2025 (5 days ago)
  • Daily CyberSecurity
Critical Elementor Plugin Flaw (CVE-2025-8489, CVSS 9.8) Under Active Exploitation Allows Unauthenticated Admin Takeover

A critical security flaw in a popular WordPress plugin has triggered a massive wave of exploitation attempts, with threat actors actively trying to seize control of vulnerable websites by registering ... Read more

Published Date: Dec 03, 2025 (5 days, 1 hour ago)
  • Daily CyberSecurity
High-Severity Angular Flaw (CVE-2025-66412) Allows Stored XSS via SVG and MathML Bypass

The maintainers of Angular, the popular platform for building mobile and desktop web applications, have released an important security advisory regarding a high-severity vulnerability in the Angular T ... Read more

Published Date: Dec 03, 2025 (5 days, 3 hours ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2025-13223 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Modified Analysis by [email protected]

    Dec. 02, 2025

    Action Type Old Value New Value
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Dec. 01, 2025

    Action Type Old Value New Value
    Added CWE CWE-843
  • Modified Analysis by [email protected]

    Nov. 21, 2025

    Action Type Old Value New Value
    Added CWE CWE-843
  • CVE Modified by [email protected]

    Nov. 20, 2025

    Action Type Old Value New Value
    Removed CWE CWE-843
  • Modified Analysis by [email protected]

    Nov. 20, 2025

    Action Type Old Value New Value
    Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-13223 Types: US Government Resource
  • CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725

    Nov. 20, 2025

    Action Type Old Value New Value
    Added Date Added 2025-11-19
    Added Due Date 2025-12-10
    Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
    Added Vulnerability Name Google Chromium V8 Type Confusion Vulnerability
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Nov. 19, 2025

    Action Type Old Value New Value
    Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-13223
  • Initial Analysis by [email protected]

    Nov. 19, 2025

    Action Type Old Value New Value
    Added CPE Configuration AND OR *cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* versions up to (excluding) 142.0.7444.175 OR cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*
    Added Reference Type Chrome: https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html Types: Release Notes, Vendor Advisory
    Added Reference Type Chrome: https://issues.chromium.org/issues/460017370 Types: Issue Tracking, Permissions Required
  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Nov. 18, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • New CVE Received by [email protected]

    Nov. 17, 2025

    Action Type Old Value New Value
    Added Description Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
    Added CWE CWE-843
    Added Reference https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html
    Added Reference https://issues.chromium.org/issues/460017370
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 8.8
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact