CVE-2025-23086 Overview
CVE-2025-23086 is an Open Redirect vulnerability (CWE-601) affecting Brave Browser versions 1.70.x through 1.73.x on most desktop platforms. The vulnerability exists in a security feature designed to display a site's origin in OS-provided file selector dialogs during upload or download operations. Due to improper origin inference in certain cases, an attacker can leverage an open redirector on a trusted site to initiate downloads that falsely appear to originate from that trusted site in the file selection dialog.
Critical Impact
Attackers can abuse this vulnerability to conduct phishing attacks by making malicious downloads appear to originate from trusted websites, potentially leading users to execute malware or disclose sensitive information.
Affected Products
- Brave Browser versions 1.70.x through 1.73.x
- Desktop platforms (Windows, macOS, Linux)
Discovery Timeline
- 2025-01-21 - CVE CVE-2025-23086 published to NVD
- 2025-03-22 - Last updated in NVD database
Technical Details for CVE-2025-23086
Vulnerability Analysis
This vulnerability stems from improper URL/origin validation in Brave Browser's file dialog feature. The browser implemented a security enhancement to display the originating site's domain when users are prompted to upload or download files. However, the origin inference logic fails to properly trace the request source when redirects are involved.
When a malicious site leverages an open redirect vulnerability on a legitimate, trusted website, the browser incorrectly attributes the download to the trusted site rather than the actual malicious origin. This creates a trust disparity where users believe they are downloading content from a known safe source.
Root Cause
The root cause is an improper URL validation weakness (CWE-601) in the origin determination logic. When processing redirected requests, the browser's file dialog feature fails to track the original request initiator through the redirect chain. Instead, it displays the intermediate trusted domain that performed the redirect, rather than the final destination or the initial malicious source.
Attack Vector
The attack requires user interaction and exploits the trust relationship users have with known websites. An attacker must:
- Identify a trusted website with an open redirector vulnerability
- Craft a URL that uses the trusted site's redirector to point to malicious content
- Deliver the crafted URL to victims through phishing, social engineering, or compromised websites
- When victims click the link, Brave Browser displays the trusted site's origin in the file download dialog
- Users, seeing the trusted origin, are more likely to accept and execute the downloaded file
The attack mechanism relies on the combination of the open redirect on a trusted site and Brave's improper origin inference, creating a convincing social engineering vector.
Detection Methods for CVE-2025-23086
Indicators of Compromise
- Unusual redirect chains in browser history involving trusted sites redirecting to unknown domains
- Downloaded files from trusted sites that don't match expected content types or file extensions
- User reports of unexpected download prompts from commonly trusted websites
- Network traffic showing redirect patterns from legitimate domains to suspicious endpoints
Detection Strategies
- Monitor for open redirect exploitation patterns in web proxy logs
- Implement browser version tracking to identify installations running vulnerable Brave versions (1.70.x-1.73.x)
- Deploy endpoint detection rules for suspicious download behaviors following redirect chains
- Correlate web traffic logs for redirect patterns involving trusted domains and external destinations
Monitoring Recommendations
- Enable detailed browser logging to capture full redirect chains for forensic analysis
- Monitor file download events correlated with redirect activity in network telemetry
- Implement user awareness training to report suspicious download dialogs showing unexpected origins
- Track Brave Browser update deployment to ensure vulnerable versions are patched
How to Mitigate CVE-2025-23086
Immediate Actions Required
- Update Brave Browser to version 1.74.x or later immediately
- Audit organization endpoints for vulnerable Brave Browser versions (1.70.x-1.73.x)
- Educate users about verifying download sources beyond the displayed origin dialog
- Consider temporarily blocking or monitoring downloads from known open redirector endpoints
Patch Information
Brave Software has addressed this vulnerability in Brave Browser versions beyond 1.73.x. Organizations should update to the latest stable release of Brave Browser to remediate this issue. The fix properly traces the origin through redirect chains to accurately display the true source of download requests.
For additional details, refer to the HackerOne Report #2888770.
Workarounds
- Disable automatic downloads in Brave Browser settings until updates can be applied
- Use browser extensions or proxy solutions to block known open redirect URLs on trusted sites
- Implement strict download policies requiring users to verify file sources through alternative means
- Consider using alternative browsers for sensitive operations until Brave is updated
# Check Brave Browser version on Linux/macOS
brave --version
# Force Brave update check (macOS)
/Applications/Brave\ Browser.app/Contents/MacOS/Brave\ Browser --check-for-update-interval=0
# Verify current version is patched (should be 1.74.x or higher)
# If version shows 1.70.x through 1.73.x, update immediately
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
