Skip to main content
CVE Vulnerability Database

CVE-2025-8579: Google Chrome XSS Vulnerability

CVE-2025-8579 is an XSS vulnerability in Google Chrome's Picture In Picture feature that enables UI spoofing attacks. This article covers the technical details, affected versions, security impact, and mitigation strategies.

Published:

CVE-2025-8579 Overview

CVE-2025-8579 is a user interface (UI) spoofing vulnerability in the Picture In Picture (PiP) component of Google Chrome. The flaw affects Chrome versions prior to 139.0.7258.66 across Windows, macOS, and Linux desktop platforms. A remote attacker who convinces a user to perform specific UI gestures can spoof interface elements through a crafted HTML page. The Chromium project rated the internal security severity as Low, while NVD assigned a medium CVSS score of 4.3. The vulnerability is tracked under CWE-79 and requires user interaction, which limits its exploitability. No exploit code is publicly available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Critical Impact

Attackers can spoof browser UI elements to deceive users, potentially enabling phishing or credential theft through crafted web pages.

Affected Products

  • Google Chrome desktop versions prior to 139.0.7258.66
  • Chrome running on Microsoft Windows
  • Chrome running on Apple macOS and Linux distributions

Discovery Timeline

  • 2025-08-07 - CVE-2025-8579 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-8579

Vulnerability Analysis

The vulnerability resides in Chrome's Picture In Picture implementation, which allows video content to display in a floating, always-on-top window separate from the main browser frame. Chrome improperly renders or handles UI elements within the PiP window when specific user gestures interact with a crafted HTML page. This creates opportunities for attackers to overlay or mimic legitimate browser controls, address bar content, or system dialogs. The confidentiality impact is rated None, and the integrity impact is Low, reflecting that the flaw primarily enables deception rather than direct data compromise. Successful exploitation depends on both a remote attacker-controlled page and specific user interaction, which reduces the attack surface. The EPSS probability is 0.234%, indicating a low likelihood of observed exploitation.

Root Cause

The root cause is an inappropriate implementation in the PiP feature that fails to enforce strict UI isolation between attacker-controlled web content and trusted browser chrome. This aligns with [CWE-79] classification, where improperly neutralized content in a web context enables interface manipulation.

Attack Vector

The attack vector is network-based. An attacker hosts a malicious HTML page and lures a victim to visit it. The victim must then perform specific UI gestures such as clicking, dragging, or activating PiP mode. Once triggered, the crafted page manipulates the PiP window to display spoofed content that appears trustworthy. See the Chromium Issue Tracker Entry for technical details.

Detection Methods for CVE-2025-8579

Indicators of Compromise

  • Users reporting unexpected floating windows displaying browser or system-like dialogs during video playback
  • Web page traffic to untrusted domains that invoke the Picture In Picture API followed by credential entry prompts
  • Chrome browser versions below 139.0.7258.66 reported by endpoint inventory systems

Detection Strategies

  • Inventory browser versions across the fleet and flag any Chrome installation prior to 139.0.7258.66
  • Monitor web proxy and DNS logs for connections to newly registered or low-reputation domains associated with phishing campaigns
  • Correlate user-reported phishing incidents with browser telemetry indicating PiP activation from external sites

Monitoring Recommendations

  • Enable browser version reporting through enterprise management tools such as Chrome Browser Cloud Management
  • Track user interaction patterns with unfamiliar domains that request PiP or fullscreen APIs
  • Review anti-phishing gateway logs for HTML content invoking pictureInPictureElement or requestPictureInPicture methods from suspicious origins

How to Mitigate CVE-2025-8579

Immediate Actions Required

  • Update Google Chrome to version 139.0.7258.66 or later on all Windows, macOS, and Linux endpoints
  • Verify that Chrome auto-update is enabled and functioning across managed devices
  • Communicate the risk of PiP-based UI spoofing to users and reinforce phishing awareness training

Patch Information

Google released the fix in the Chrome Stable channel update 139.0.7258.66 for desktop. Full details are available in the Google Chrome Desktop Update advisory. Administrators should deploy the patch through standard software distribution channels or allow the built-in auto-update mechanism to complete.

Workarounds

  • Restrict access to untrusted websites through web filtering or DNS-layer controls until patching is complete
  • Disable the Picture In Picture feature via enterprise policy where video PiP functionality is not required
  • Instruct users to close unexpected floating windows and verify credential prompts through the main browser window
bash
# Enterprise policy example to control Chrome auto-update on managed endpoints
# Windows registry - enforce minimum Chrome version through Chrome Browser Cloud Management
# macOS - deploy Chrome 139.0.7258.66 or later via MDM package
# Linux - update via package manager, e.g.:
sudo apt-get update && sudo apt-get install --only-upgrade google-chrome-stable

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.