🟢 CVE-2025-13223

CVE-2025-13223 is a type confusion vulnerability in Chrome's V8 engine exploited via crafted HTML pages. While actively exploited in the wild, it requires user interaction to visit malicious websites, making it primarily a client-side phishing attack rather than direct server exploitation.

← Back to Overview
LOW_RISK
Risk Level
8.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1189 — Drive-by Compromise
ATT&CK Technique
VERY_LOW
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: USER_INTERACTION

CVE Published: 2025-11-17

Added to CISA KEV: 2025-11-19 2 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2025-11-19)

CVE-2025-13223 is a high-severity type confusion vulnerability affecting Google Chrome's V8 JavaScript and WebAssembly engine [1][2]. Here's what is known about its exploitation:

  • Affected Applications/Services: The vulnerability affects Google Chrome and other Chromium-based browsers like Microsoft Edge [6][4]. Since it is exploited through web browsers, it affects internet-facing applications [4].
  • Active Exploitation: CVE-2025-13223 has been actively exploited in the wild [1][11]. Google released a security fix for this zero-day vulnerability due to active exploitation [10][9].
  • Attack Vectors/Exploitation Methods: The vulnerability allows a remote attacker to exploit heap corruption by using a crafted HTML page [3][4]. Successful exploitation can lead to arbitrary code execution or program crashes [1].
  • Targeted Attacks: Observed exploitation includes targeted attacks against journalists and political dissidents [2].
  • CISA KEV Status: CISA has added CVE-2025-13223 to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation [5].
  • Technical Details: CVE-2025-13223 is a type confusion vulnerability in the V8 engine [4][7]. Type confusion occurs when the engine incorrectly assumes the type of an object at runtime, leading to memory errors [8][7]. The CVSS score is 8.8, indicating high severity [1]. The attack vector is network-based, with low attack complexity, requiring user interaction [3].

Sources

  1. The Hacker News | #1 Trusted Source for Cybersecurity News — Index...

    The vulnerability in question is CVE-2025-13223 (CVSS score: 8.8), a type confusion vulnerability in the V8 JavaScript and WebAssembly engine that could be exploited to achieve arbitrary code execution or program crashes. "Type Confusion in V8 in Google Chrome prior to 142.0.7444.175 allowed a remot…

  2. CVE-2025-13223 — Google Chrome +1 | dbugs

    Details on CVE-2025-13223: Google Chrome +1. Includes CVSS score, affected versions, and references.The vulnerability was discovered by Google’s Threat Analysis Group on November 12, 2025. This is the seventh zero-day vulnerability addressed in Chrome this year. Exploitation has been observed in tar…

  3. CVE-2025-13223 - Vulnerability Details - OpenCVE

    Exploitation none. Automatable no. Technical Impact total.(Chromium security severity: High)"}], "id": "CVE-2025-13223", "lastModified": "2025-11-18T02:15:43.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseSco…

  4. Google patches yet another exploited Chrome zero-day ...

    CVE-2025-13223 is a type confusion vulnerability in V8, the JavaScript and WebAssembly engine used by Chrome and Chromium-based browsers. The ...

  5. CISA Adds One Known Exploited Vulnerability to Catalog

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed