A critical Remote Code Execution (RCE) flaw in Google Chrome, tracked as CVE-2025-1195777, has had its technical details and proof-of-concept exploit publicly disclosed, leaving unpatched systems highly susceptible to full system compromise.
Unexpected WebAssembly Bug Sparks Critical RCE
During the TyphoonPWN 2025 competition, researcher Seunghyun Lee (0x10n) uncovered a subtle WebAssembly canonicalization bug in Chrome’s V8 engine.
The flaw stems from improper nullability checks in the CanonicalEqualityEqualValueType routine introduced in commit 44171ac (M135).
By finding a hash collision between two reference types that differ only by nullability, achievable via a birthday attack on MurmurHash64A, the vulnerability allows attackers to bypass Wasm type guarantees and craft out-of-bounds primitives.
Combined with a novel JSPI-based sandbox bypass in Chromium’s M137 update, this leads directly to arbitrary code execution on the host machine.
CVE Details, Impact, and Exploit Availability
Google has yet to ship an official patch for M135–M136 on stable channels, leaving versions from 137.0.7151.40 onward exposed until the fix lands.
The exploit leverages a two-stage chain: first hijacking the Wasm sandbox via nullability confusion, then abusing JS Promise Integration’s secondary stack feature to orchestrate a stack pivot and deploy a ROP chain.
A full proof-of-concept, delivered as exp.html, spawns an unprivileged shell (calc.exe) when run under Chrome with --no-sandbox, demonstrating complete remote code injection.
| CVE ID | Affected Versions | Impact | Exploit Prerequisites | CVSS 3.1 Score |
|---|---|---|---|---|
| CVE-2025-1195777 | Chrome 137.0.7151.40 – 138.0.7204.4 | Remote code execution on host | JavaScript execution in browser; no sandbox flag | 9.8 |
Until an official Chrome update is available, organizations should consider temporarily disabling WebAssembly via enterprise policy or rolling out a custom build with backported nullability checks.
Network-based defenses, such as Content Security Policy with disallowed inline scripts, can reduce exposure to malicious pages hosting the exploit.
Users are strongly urged to avoid browsing untrusted sites in Chrome and monitor for Google’s imminent security patch, expected in the next Stable channel release.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1)%20(1).webp?resize=1600,900&ssl=1&description=During the TyphoonPWN 2025 competition, researcher Seunghyun Lee (0x10n) uncovered a subtle WebAssembly canonicalization bug in Chrome’s V8 engine.){kind=link}