CVE-2025-9865 Overview
CVE-2025-9865 affects Google Chrome on Android in versions prior to 140.0.7339.80. The flaw resides in the browser Toolbar component and stems from an inappropriate implementation that enables domain spoofing. A remote attacker who convinces a user to perform specific user interface gestures can misrepresent the origin displayed in the address bar through a crafted HTML page. The Chromium project classifies the security severity as Medium. The weakness maps to CWE-451: User Interface Misrepresentation of Critical Information, which covers spoofing conditions that mislead users about the trust context of a site.
Critical Impact
Attackers can trick mobile users into trusting a spoofed domain in the Chrome for Android address bar, enabling credential phishing and social engineering against high-value targets.
Affected Products
- Google Chrome for Android versions prior to 140.0.7339.80
- Google Android devices running vulnerable Chrome builds
- Chromium-based mobile browsers that inherit the same Toolbar implementation
Discovery Timeline
- 2025-09-03 - CVE-2025-9865 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-9865
Vulnerability Analysis
CVE-2025-9865 is a user interface spoofing vulnerability in the Chrome for Android Toolbar. The Toolbar component renders the omnibox, security state indicators, and origin information for the currently loaded page. An inappropriate implementation in this component allows a crafted HTML page to influence what the Toolbar displays after specific user gestures. The result is a mismatch between the actual origin of the loaded content and the origin shown to the user.
Spoofing conditions in mobile browsers are amplified by the compact form factor. Users rely on the truncated address bar to make trust decisions, and any inconsistency between the rendered content and the displayed origin can be leveraged for phishing, credential theft, and drive-by social engineering campaigns. The vulnerability requires user interaction, which limits automated mass exploitation but suits targeted attacks delivered through messaging, ads, or compromised sites.
Root Cause
The root cause is an inappropriate implementation inside the Toolbar rendering logic that fails to preserve the accurate origin state during specific UI transitions. Chromium tracks the issue in the Chromium Issue Tracker Entry. The flaw falls under [CWE-451] because the browser presents security-critical information (the origin) that does not correspond to the actual navigation context.
Attack Vector
Exploitation requires a remote attacker to lure a user to a crafted HTML page and induce specific gestures such as taps, scrolls, or navigation actions. Once the gesture sequence executes, the Toolbar displays a spoofed domain while the page content remains under attacker control. The attacker can then present cloned login forms, fake banking prompts, or fraudulent consent dialogs that appear to originate from a trusted domain. Network access to deliver the payload is the only precondition, and no authentication is required.
No verified public proof-of-concept code has been released. See the Google Chrome Desktop Update and the Chromium Issue Tracker Entry for vendor references.
Detection Methods for CVE-2025-9865
Indicators of Compromise
- Chrome for Android clients reporting a user-agent version below 140.0.7339.80 in web server or proxy logs.
- User reports of address bar content that does not match the visible page, especially on login or payment flows.
- Suspicious HTML pages that trigger navigation, history manipulation, or full-screen APIs immediately after a tap or scroll gesture.
Detection Strategies
- Inventory managed Android fleets and enumerate installed Chrome versions through Mobile Device Management (MDM) telemetry.
- Inspect web gateway logs for HTML responses that combine history.pushState, window.open, or fullscreen calls with heavy DOM manipulation targeting known brand domains.
- Correlate phishing report submissions with the referring URL and check whether the landing page renders content designed to overlap Toolbar state changes.
Monitoring Recommendations
- Alert on outbound connections from mobile endpoints to newly registered domains that impersonate corporate login portals.
- Track credential submissions originating from Chrome for Android sessions on unpatched versions.
- Ingest browser and MDM telemetry into a centralized data lake to correlate version drift with phishing incidents.
How to Mitigate CVE-2025-9865
Immediate Actions Required
- Update Google Chrome for Android to 140.0.7339.80 or later through the Google Play Store.
- Enforce a minimum Chrome version policy on managed Android devices through MDM or Android Enterprise controls.
- Notify users about the spoofing risk and reinforce guidance to verify origin details on high-trust transactions.
Patch Information
Google addressed CVE-2025-9865 in Chrome 140.0.7339.80 for Android. Details are published in the Google Chrome Desktop Update release notes and the Chromium Issue Tracker Entry. No configuration change is required after the update installs.
Workarounds
- Restrict browsing on unpatched devices to trusted, bookmarked domains until Chrome updates apply.
- Deploy phishing-resistant authentication such as FIDO2 security keys or platform passkeys to reduce the value of spoofed credential prompts.
- Enable Google Safe Browsing Enhanced Protection on Android to increase heuristic coverage of malicious pages.
# Verify installed Chrome version on an Android device via adb
adb shell dumpsys package com.android.chrome | grep versionName
# Expected output for a patched device
# versionName=140.0.7339.80 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

