CVE-2025-9867 Overview
CVE-2025-9867 is a user interface (UI) spoofing vulnerability in the Downloads component of Google Chrome on Android. The flaw affects versions prior to 140.0.7339.80 and stems from an inappropriate implementation [CWE-451] that allows a remote attacker to deceive users via a crafted HTML page. Successful exploitation requires user interaction but no authentication. The vulnerability enables attackers to misrepresent download origins or filenames, increasing the likelihood that mobile users save and execute malicious files. Google has classified the Chromium security severity as Medium.
Critical Impact
Attackers can craft HTML pages that spoof Chrome's Downloads UI on Android, tricking users into trusting and opening malicious files.
Affected Products
- Google Chrome on Android prior to 140.0.7339.80
- Google Android devices running vulnerable Chrome builds
- Mobile deployments relying on Chrome for file downloads
Discovery Timeline
- 2025-09-03 - CVE-2025-9867 published to NVD
- 2025-09-04 - Last updated in NVD database
Technical Details for CVE-2025-9867
Vulnerability Analysis
The vulnerability resides in Chrome's Downloads UI handling on Android. An attacker hosts a crafted HTML page that manipulates how download prompts, filenames, or origin indicators render. The mobile browser's limited screen real estate amplifies the spoofing risk because security indicators sit close to attacker-controlled content. The flaw maps to [CWE-451] — User Interface Misrepresentation of Critical Information. While the technical impact on confidentiality and integrity is limited, the social engineering payoff is significant. Users who trust the spoofed UI may install malware, surrender credentials, or execute payloads that bypass mobile platform protections. The attack requires no privileges, only user interaction with the malicious page.
Root Cause
The Downloads component fails to consistently present authoritative origin and file metadata when invoked from attacker-controlled HTML. The implementation does not enforce strict UI boundaries between page content and browser chrome during download flows on Android.
Attack Vector
The attack vector is network-based. An attacker delivers a crafted HTML page through phishing, malvertising, or a compromised site. When the victim interacts with the page on Chrome for Android, the Downloads UI presents misleading information about the file being saved. No exploit code is publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified proof-of-concept code is available for CVE-2025-9867. Technical details are tracked in the Chromium Issue Tracker Entry.
Detection Methods for CVE-2025-9867
Indicators of Compromise
- Unexpected download prompts originating from recently visited HTML pages on Android devices
- Files saved with mismatched extensions or origins that differ from the displayed source
- Mobile endpoints running Chrome for Android versions below 140.0.7339.80
Detection Strategies
- Inventory Chrome for Android versions across managed mobile fleets and flag builds prior to 140.0.7339.80
- Inspect mobile web gateway logs for HTML responses that trigger download flows immediately after page load
- Correlate user-reported phishing incidents with Android download activity to identify spoofing attempts
Monitoring Recommendations
- Forward Android Chrome version telemetry to your central logging platform for continuous version compliance checks
- Monitor mobile threat defense alerts for suspicious APK or document downloads following web browsing sessions
- Track URL reputation feeds and block domains associated with credential phishing or fake download landing pages
How to Mitigate CVE-2025-9867
Immediate Actions Required
- Update Chrome for Android to version 140.0.7339.80 or later through the Google Play Store
- Push enterprise mobility management (EMM) policies that enforce automatic Chrome updates on managed devices
- Communicate phishing awareness reminders covering mobile download prompts and unexpected file requests
Patch Information
Google released the fix in the Chrome stable channel referenced in the Google Chrome Desktop Update advisory. Android users receive the update through the Play Store. Verify the installed version meets or exceeds 140.0.7339.80.
Workarounds
- Restrict download permissions on managed Android devices until patching is complete
- Use mobile threat defense or web filtering solutions to block known phishing and malvertising domains
- Advise users to verify file origin and extension before opening any download on mobile devices
# Verify Chrome version on a managed Android device via adb
adb shell dumpsys package com.android.chrome | grep versionName
# Expected output should show 140.0.7339.80 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

