Under Attack?
Summary
Both high severity vulnerabilities reside in Google Chrome and are exploitable via a specially crafted HTML page. CVE-2025-5063 is a “Use after free” vulnerability that resides in the compositing subsystem of the browser whereby improper memory management when the browser renders layered page elements leads to a potential hijack of control flows during DOM manipulations. CVE-2025-5280 is an “out of bounds” exploit in the JavaScript V8 engine that could potentially allow arbitrary code to execute outside of the JavaScript sandbox, meaning it’s run natively on the target system.
Integrity360 will maintain a high level of attention on any alerts that could be indicative of the exploitation of this vulnerability for our existing MDR (Managed Detection and Response) customers. If you aren’t a customer of Integrity360, please click the “Under Attack?” button on this website. We’re here to help.
Technical Details:
- CVE-2025-5063
- Description: Use after free in Compositing in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CVSS v3 Base Score: 8.8
- Severity: High
- CVE-2025-5280
- Description: Out of bounds write in V8 in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CVSS v3 Base Score: 8.8
- Severity: High
Recommended Actions
Chrome should be updated to the following latest stable versions below to be protected from the above vulnerabilities:
- 137.0.7151.55 Linux
- 137.0.7151.55/56 Windows and Mac
References:
https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_27.html
https://www.securityweek.com/chrome-137-firefox-139-patch-high-severity-vulnerabilities/
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
