Google has patched a critical zero-day vulnerability in its Chrome browser, identified as CVE-2025-5419, which has been actively exploited in the wild. This high-severity flaw, with a CVSS score of 8.8, affects the V8 JavaScript engine used in Chrome prior to version 137.0.7151.68. The vulnerability arises from out-of-bounds read and write operations, potentially allowing remote attackers to exploit heap corruption through a specially crafted HTML page.
The flaw was disclosed on June 2, 2025, and was quickly added to the Known Exploited Vulnerabilities (KEV) catalog by June 5, 2025, underscoring its critical nature. The Exploit Prediction Scoring System (EPSS) for this vulnerability is relatively low at 0.033, but the fact that it was exploited within two days of disclosure highlights the urgency for users to update their browsers.
Proof-of-concept (PoC) exploits for CVE-2025-5419 are already available, with at least six known examples circulating. This increases the risk of exploitation, as attackers can leverage these PoCs to target unpatched systems. The Stakeholder-Specific Vulnerability Categorization (SSVC) advises immediate attention to this vulnerability.
Users and administrators are strongly urged to update to the latest version of Google Chrome to mitigate the risk posed by this vulnerability. The update not only addresses this specific flaw but also includes other security improvements. Given the active exploitation and the availability of PoCs, delaying the update could expose systems to potential attacks.
CSURFACE