Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-1923

CVE-2025-1923: Google Chrome Auth Bypass Vulnerability

CVE-2025-1923 is an auth bypass flaw in Google Chrome's Permission Prompts that enables UI spoofing through malicious extensions. This article covers the technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2025-1923 Overview

CVE-2025-1923 is a UI spoofing vulnerability affecting Google Chrome's Permission Prompts implementation. This inappropriate implementation flaw allows attackers who successfully convince users to install a malicious Chrome extension to perform UI spoofing attacks. The vulnerability exploits weaknesses in how Chrome handles permission prompts, enabling crafted extensions to manipulate the user interface in deceptive ways.

Critical Impact

Attackers can leverage malicious Chrome extensions to spoof permission prompts, potentially tricking users into granting unintended permissions or clicking on deceptive UI elements.

Affected Products

  • Google Chrome versions prior to 134.0.6998.35
  • All platforms running vulnerable Chrome versions (Windows, macOS, Linux)
  • Chrome-based browsers that incorporate affected Chromium components

Discovery Timeline

  • March 5, 2025 - CVE-2025-1923 published to NVD
  • April 1, 2025 - Last updated in NVD database

Technical Details for CVE-2025-1923

Vulnerability Analysis

This vulnerability stems from CWE-1021 (Improper Restriction of Rendered UI Layers or Frames), a class of security issues that enables clickjacking and UI redressing attacks. The flaw exists in Chrome's Permission Prompts component, which is responsible for displaying security-sensitive dialogs to users when extensions or websites request elevated privileges.

The inappropriate implementation allows a crafted Chrome extension to manipulate how permission prompts are rendered, potentially overlaying malicious UI elements on top of legitimate browser interfaces. This creates opportunities for social engineering attacks where users may unknowingly interact with deceptive content while believing they are responding to authentic Chrome security prompts.

The attack requires user interaction—specifically, the victim must first install a malicious extension. This social engineering prerequisite explains why Chromium rates this as a low severity issue internally, despite the potential for integrity impacts through UI manipulation.

Root Cause

The root cause lies in insufficient isolation and validation of UI rendering contexts when Chrome extensions interact with the browser's permission prompt system. The implementation failed to properly restrict how extension-generated UI elements could be positioned relative to native browser chrome, allowing overlapping or spoofing of system dialogs.

Attack Vector

The attack vector is network-based but requires user interaction. An attacker must first distribute a malicious Chrome extension and convince the target user to install it. This typically involves:

  1. Creating a deceptive extension that appears legitimate
  2. Distributing the extension through phishing campaigns, malicious websites, or potentially through the Chrome Web Store (if review processes are bypassed)
  3. Once installed, the extension can manipulate permission prompts to spoof legitimate browser UI
  4. Users may then be tricked into granting additional permissions or interacting with malicious elements

The vulnerability mechanism involves the extension leveraging Chrome's APIs to create UI overlays that mimic or obscure genuine permission dialogs. For detailed technical information, refer to the Chromium Issue Tracker Entry.

Detection Methods for CVE-2025-1923

Indicators of Compromise

  • Presence of suspicious or recently installed Chrome extensions with excessive permission requests
  • Unusual permission prompt behavior, such as prompts appearing in unexpected contexts
  • User reports of confusing or duplicate permission dialogs
  • Extensions that request permissions inconsistent with their stated functionality

Detection Strategies

  • Monitor installed Chrome extensions across endpoints using browser management tools
  • Audit extension permissions and flag extensions with UI manipulation capabilities
  • Implement browser policy logging to track extension installations and permission grants
  • Deploy endpoint detection solutions that can identify suspicious browser behavior patterns
  • Review Chrome extension manifests for permissions like activeTab, tabs, or broad host permissions

Monitoring Recommendations

  • Enable Chrome Enterprise logging and centralize browser telemetry
  • Monitor for unexpected extension installations through EDR solutions
  • Track permission grant events in Chrome and alert on anomalous patterns
  • Implement user awareness training to recognize suspicious permission prompts
  • Regularly audit Chrome extension inventory against approved allowlists

How to Mitigate CVE-2025-1923

Immediate Actions Required

  • Update Google Chrome to version 134.0.6998.35 or later immediately
  • Review all installed Chrome extensions and remove any that are suspicious or unnecessary
  • Enable Chrome's Enhanced Safe Browsing feature for additional protection
  • Implement Chrome extension allowlisting via enterprise policies where applicable
  • Educate users about the risks of installing extensions from untrusted sources

Patch Information

Google has addressed this vulnerability in Chrome version 134.0.6998.35. The fix is included in the stable channel update announced on March 5, 2025. Organizations should deploy this update across all managed endpoints.

For detailed release information, see the Google Chrome Update Announcement.

Workarounds

  • Restrict Chrome extension installation to administrator-approved extensions only using ExtensionInstallAllowlist policy
  • Block all extension installations temporarily using ExtensionInstallBlocklist policy set to *
  • Enable Chrome's extension review features requiring administrator approval for new installations
  • Deploy browser isolation solutions for high-risk users to contain potential UI spoofing attacks
  • Consider using browser profiles with restricted extension capabilities for sensitive operations
bash
# Chrome Enterprise Policy Configuration (via registry on Windows)
# Block all extensions except those explicitly allowed
REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome" /v ExtensionInstallBlocklist /t REG_SZ /d "*" /f

# Allow only specific trusted extensions (replace with your approved extension IDs)
REG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v 1 /t REG_SZ /d "approved-extension-id-here" /f

# Force Chrome auto-updates to ensure patches are applied
REG ADD "HKLM\SOFTWARE\Policies\Google\Update" /v UpdateDefault /t REG_DWORD /d 1 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne