CVE-2025-6554

CVSS 8.1 HIGHEPSS 6.6%● KEVCWE-843

In short

A type confusion bug in Chrome's V8 JavaScript engine allows attackers to read and write arbitrary data on your computer through a malicious website. This happens because the browser incorrectly handles certain data types, giving attackers unauthorized access.

Technical detail

Type confusion vulnerability in V8 engine (CWE-843) enables arbitrary memory read/write operations when processing crafted HTML/JavaScript. Attack vector is remote via malicious webpage; requires user to visit attacker-controlled site. Impact includes potential code execution and sensitive data exfiltration.

Summary generated and translated by AI from the official description.

Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected products

Google · Chrome

public PoCs found — 7

githubgithub.com/aklnjakln/CVE-2025-6554★ 31 githubgithub.com/Muhammednihalmp/Google-chrome-zero-day★ 12 githubgithub.com/gmh5225/CVE-2025-6554-2★ 2 githubgithub.com/PwnToday/CVE-2025-6554★ 2 githubgithub.com/ghostn4444/POC-CVE-2025-6554★ 1 githubgithub.com/LordBheem/CVE-2025-6554★ 0 githubgithub.com/gmh5225/CVE-2025-6554★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop_30.html https://issues.chromium.org/issues/427663123 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6554