CISA has issued an urgent warning about a critical zero-day vulnerability in Google Chrome’s V8 JavaScript engine that is being actively exploited by cybercriminals to execute arbitrary code on victims’ systems.
On June 5, 2025, CISA added CVE-2025-5419 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that threat actors are leveraging this high-severity flaw in real-world attacks. The vulnerability affects Google Chrome versions prior to 137.0.7151.68 and poses significant risks to millions of users worldwide.
The flaw stems from an out-of-bounds read and write weakness in Chrome’s V8 JavaScript and WebAssembly engine, allowing remote attackers to exploit heap corruption through specially crafted HTML pages.
Security researchers from Google’s Threat Analysis Group, Clement Lecigne and Benoît Sevens, discovered and reported the vulnerability on May 27, 2025.
“Out-of-bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page,” according to the National Vulnerability Database. The vulnerability carries a CVSS score of 8.8, classifying it as high severity.
Google responded swiftly to the threat, implementing an initial mitigation through a configuration change pushed to all Chrome platforms on May 28, 2025. The company subsequently released emergency security updates on June 3, 2025, patching the vulnerability in Chrome versions 137.0.7151.68/.69 for Windows and Mac, and 137.0.7151.68 for Linux.
“Google is aware that an exploit for CVE-2025-5419 exists in the wild,” the company acknowledged in its security advisory, though specific details about the attacks remain restricted until more users install the fix.
This vulnerability affects multiple web browsers that utilize the Chromium engine, including Google Chrome, Microsoft Edge, Opera, Brave, and Vivaldi. The out-of-bounds memory operations could enable attackers to manipulate memory in unintended ways, potentially leading to arbitrary code execution or browser sandbox escapes.
CISA’s Binding Operational Directive mandates that Federal Civilian Executive Branch agencies remediate the vulnerability immediately to protect against active threats.
CISA strongly urges all organizations and individual users to prioritize updating their browsers as part of essential vulnerability management practices.
Users should immediately update Chrome by navigating to the browser menu, selecting “Help,” then “About Google Chrome,” and allowing the automatic update to complete.
This represents the third actively exploited Chrome zero-day vulnerability discovered in 2025, highlighting the persistent threat landscape targeting web browsers.
Powered by
