CVE-2024-0805 Overview
CVE-2024-0805 is an inappropriate implementation vulnerability in the Downloads component of Google Chrome prior to version 121.0.6167.85. This security flaw allows a remote attacker to perform domain spoofing through the use of a crafted domain name, potentially deceiving users about the origin of downloaded files.
Critical Impact
Attackers can craft malicious domain names to spoof legitimate download sources, potentially tricking users into downloading and executing malicious files believing they originate from trusted domains.
Affected Products
- Google Chrome versions prior to 121.0.6167.85
- Fedora Project Fedora 38
- Fedora Project Fedora 39
Discovery Timeline
- January 24, 2024 - CVE-2024-0805 published to NVD
- June 20, 2025 - Last updated in NVD database
Technical Details for CVE-2024-0805
Vulnerability Analysis
This vulnerability (CWE-451: User Interface Misrepresentation of Critical Information) exists within Chrome's Downloads functionality where domain names are improperly validated or displayed. The inappropriate implementation allows attackers to craft specially formatted domain names that, when displayed in Chrome's download interface, appear to originate from legitimate or trusted sources when they actually do not.
The attack requires user interaction—specifically, the victim must be enticed to initiate a download from a malicious website. Once triggered, the spoofed domain name could mislead users about the true source of the downloaded content, potentially leading to social engineering attacks where users trust and execute malicious files.
Root Cause
The root cause stems from insufficient validation and handling of domain names within Chrome's download notification and management system. The Downloads component failed to properly sanitize or correctly render certain crafted domain name patterns, enabling visual misrepresentation that could be exploited for domain spoofing attacks.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker would need to:
- Register or control a domain with a specially crafted name designed to exploit the rendering flaw
- Host malicious content on this domain
- Lure victims to the malicious site through phishing, malvertising, or other social engineering techniques
- Entice users to download files from the spoofed domain
When users initiate the download, Chrome's download interface displays the spoofed domain in a misleading manner, making it appear as if the file originates from a legitimate source. This could increase the likelihood that users will trust and execute the downloaded content.
Detection Methods for CVE-2024-0805
Indicators of Compromise
- Unusual download activity from domains with internationalized domain names (IDN) or homoglyph characters
- Downloads originating from domains that visually resemble but differ from legitimate trusted domains
- User reports of confusing or misleading domain names in download prompts
Detection Strategies
- Monitor endpoint browser version inventories to identify systems running vulnerable Chrome versions (prior to 121.0.6167.85)
- Implement web proxy logging to detect access to domains with suspicious naming patterns commonly used in spoofing attacks
- Deploy endpoint detection solutions to track browser-initiated downloads and correlate with known-bad domain patterns
Monitoring Recommendations
- Enable Chrome Enterprise reporting to track browser versions across managed endpoints
- Configure DNS security solutions to flag or block domains with homoglyph or IDN abuse patterns
- Implement user awareness training to help identify domain spoofing attempts in browser interfaces
How to Mitigate CVE-2024-0805
Immediate Actions Required
- Update Google Chrome to version 121.0.6167.85 or later immediately across all endpoints
- Verify Fedora systems have applied the latest security updates for Chrome packages
- Review and restrict download capabilities through Chrome Enterprise policies where appropriate
- Educate users about verifying download sources and recognizing potential domain spoofing attempts
Patch Information
Google has addressed this vulnerability in Chrome version 121.0.6167.85, released on January 23, 2024. The fix is included in the stable channel update detailed in the Google Chrome Release Update. Fedora users should apply the security updates announced via the Fedora Package Announcement for their respective Fedora versions.
Additional technical details about this vulnerability can be found in the CRBug Report #1514925.
Workarounds
- Enable Chrome's Enhanced Safe Browsing feature to provide additional protection against malicious downloads
- Implement strict Content Security Policies and download restrictions via Chrome Enterprise policies
- Deploy web filtering solutions to block access to newly registered or suspicious domains
- Consider using allowlisting approaches for download sources in high-security environments
# Verify Chrome version on Linux systems
google-chrome --version
# Update Chrome on Fedora systems
sudo dnf update chromium --refresh
# Check for Chrome updates via command line (Debian-based)
sudo apt update && sudo apt upgrade google-chrome-stable
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
