CVE-2026-45245 Overview
CVE-2026-45245 affects the Steipete Summarize browser extension prior to version 0.15.1. The vulnerability resides in the hover summary feature, which dispatches authenticated daemon requests in response to mouseover events without verifying that the events originated from genuine user interaction. Malicious web pages can synthesize mouseover events over attacker-controlled links to coerce the extension into issuing authenticated requests to arbitrary URLs, including local and private-network endpoints. This effectively turns the extension into a server-side request forgery (SSRF) primitive against the user's internal network. The flaw is classified under CWE-918: Server-Side Request Forgery.
Critical Impact
Attackers can route authenticated requests through the Summarize daemon to reach private-network and loopback endpoints, exposing internal services to unauthorized access via stored extension tokens.
Affected Products
- Steipete Summarize browser extension versions prior to 0.15.1
- Chrome extension component apps/chrome-extension (hover controller and content script)
- Local Summarize daemon endpoints reachable via stored authentication tokens
Discovery Timeline
- 2026-05-18 - CVE-2026-45245 published to the National Vulnerability Database (NVD)
- 2026-05-19 - Last updated in NVD database
- Patch reference - Fix landed via GitHub Pull Request #218 and commit ecbb2c4, released in v0.15.2
Technical Details for CVE-2026-45245
Vulnerability Analysis
The Summarize extension exposes a hover summary feature that triggers when a user hovers over a link. The hover content script forwards the link URL to the extension background, which then issues an authenticated request to the local Summarize daemon. Prior to 0.15.1, the content script did not verify whether the triggering DOM event was generated by genuine user interaction. Any script in the page could call element.dispatchEvent(new MouseEvent('mouseover')) on an attacker-controlled anchor to force the extension into requesting any URL the attacker chose. Because the daemon request carries the user's stored token, the resulting traffic is authenticated and can target internal services that would otherwise be unreachable from the public web.
Root Cause
The root cause is a missing trust check on the originating DOM event. The hover handler treated all mouseover events identically and did not consult the Event.isTrusted property, which differentiates user-initiated events from script-synthesized ones. Combined with the lack of host validation on the hovered URL, the extension would relay requests targeting 127.0.0.1, RFC1918 ranges, and link-local addresses through the authenticated daemon channel.
Attack Vector
An attacker hosts a page containing hidden or styled anchor elements whose href points at local or private-network URLs such as http://127.0.0.1:8080/admin or http://192.168.1.1/. Page JavaScript dispatches synthetic mouseover events at these anchors. The Summarize hover handler accepts the events as legitimate hover triggers and instructs the daemon to fetch each URL with the user's authentication token attached. Responses or side effects from those internal endpoints are then reachable to the attacker through subsequent extension interactions.
// Patch in apps/chrome-extension/src/entrypoints/hover.content.ts
// Adds a trust check rejecting synthetic mouseover events
export function shouldHandleHoverTriggerEvent(event: Pick<Event, "isTrusted">): boolean {
return event.isTrusted === true;
}
function ensureTooltip(): Tooltip {
ensureStyle();
let el = document.getElementById(TOOLTIP_ID) as HTMLDivElement | null;
Source: github.com/steipete/summarize commit ecbb2c4
// Patch in apps/chrome-extension/src/entrypoints/background/hover-controller.ts
// Adds private-network host filtering before issuing daemon requests
function isPrivateIpv4(hostname: string): boolean {
const parts = hostname.split(".");
if (parts.length !== 4) return false;
const octets = parts.map((part) => Number.parseInt(part, 10));
if (octets.some((octet, index) => !/^\d+$/.test(parts[index]) || octet < 0 || octet > 255)) {
return false;
}
const [first, second] = octets;
return (
first === 10 ||
first === 127 ||
(first === 172 && second >= 16 && second <= 31) ||
(first === 192 && second === 168) ||
(first === 169 && second === 254) ||
first === 0
);
}
function isPrivateIpv6Hostname(hostname: string): boolean {
const normalized = hostname.toLowerCase();
if (!normalized.startsWith("[") || !normalized.endsWith("]")) return false;
const address = normalized.slice(1, -1);
return (
address === "::1" ||
address.startsWith("fe8") ||
address.startsWith("fe9") ||
address.startsWith("fea")
);
}
Source: github.com/steipete/summarize commit ecbb2c4
Detection Methods for CVE-2026-45245
Indicators of Compromise
- Authenticated requests from the Summarize daemon to loopback addresses (127.0.0.0/8, ::1) or RFC1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) shortly after a user visits an untrusted page.
- Daemon access logs showing requests to internal admin paths or metadata endpoints such as 169.254.169.254.
- Browser extension telemetry indicating hover summary activations without corresponding pointer or focus user input.
Detection Strategies
- Inventory installed browser extensions across managed endpoints and flag any Summarize installations with version below 0.15.1.
- Inspect host-based proxy or daemon logs for outbound HTTP requests targeting private or loopback IP ranges originating from the Summarize background process.
- Correlate web browsing telemetry with daemon request bursts to identify pages that trigger abnormal volumes of hover-summary fetches.
Monitoring Recommendations
- Alert on any local daemon listener receiving authenticated requests for hostnames that resolve into private-network address space.
- Monitor extension update channels and enforce a minimum version policy for steipete/summarize of 0.15.2 or later.
- Capture and review Event.isTrusted=false anomalies via extension developer logs in pre-production validation builds.
How to Mitigate CVE-2026-45245
Immediate Actions Required
- Upgrade the Summarize extension to version 0.15.2 or later on all user endpoints.
- Restrict the local Summarize daemon to bind only to 127.0.0.1 and require token rotation after upgrade.
- Audit recent daemon request logs for unexpected internal URLs and investigate any matches as potential exploitation.
Patch Information
The fix is delivered in Summarize 0.15.2 via Pull Request #218 and commit ecbb2c4. The patch hardens the hover trust boundary by adding shouldHandleHoverTriggerEvent, which rejects events where isTrusted is not true, and introduces isPrivateIpv4 and isPrivateIpv6Hostname host filters in the background hover controller. Together these changes block both the synthetic-event trigger and the private-network destination. Additional details are available in the Vulncheck advisory and the v0.15.2 release notes.
Workarounds
- Disable the hover summary feature in the extension settings until the upgrade to 0.15.2 is deployed.
- Block extension access to private-network ranges via host firewall rules or browser enterprise policy that restricts extension host permissions.
- Revoke any stored daemon authentication tokens and reissue them after confirming the patched version is installed.
# Verify installed extension version and force update via Chrome enterprise policy
# Example managed policy (JSON) enforcing minimum version 0.15.2
cat > /etc/opt/chrome/policies/managed/summarize-min-version.json <<'EOF'
{
"ExtensionSettings": {
"<summarize-extension-id>": {
"installation_mode": "force_installed",
"update_url": "https://clients2.google.com/service/update2/crx",
"minimum_version_required": "0.15.2"
}
}
}
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
