Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability NewRecently updated
Released: Feb 13, 2025
Last updated: Feb 21, 2025
- Assigning CNA
- Microsoft
- CVE.org link
- CVE-2025-21401
- Impact
- Security Feature Bypass
- Max Severity
- Low
- Weakness
- CVSS Source
- Microsoft
- Vector String
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C
- Metrics
- CVSS:3.1 4.5 / 3.9Base score metrics: 4.5 / Temporal score metrics: 3.9
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Exploit Code Maturity
Unproven
Remediation Level
Official Fix
Report Confidence
Confirmed
Please see Common Vulnerability Scoring System for more information on the definition of these metrics.
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
- Publicly disclosed
- No
- Exploited
- No
- Exploitability assessment
- Exploitation Less Likely
FAQ
What is the version information for this release?
Microsoft Edge Version | Date Released | Based on Chromium Version |
---|---|---|
133.0.3065.69 | 2/14/2025 | 133.0.6943.98/.99 |
According to the CVSS metrics, successful exploitation of this vulnerability could lead to minor loss of confidentiality (C:L), integrity (I:L) and availability (A:L). What does that mean for this vulnerability?
While we cannot rule out the impact to Confidentiality, Integrity, and Availability, the ability to exploit this vulnerability by itself is limited. An attacker would need to combine this with other vulnerabilities to perform an attack.
According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.
What kind of security feature could be bypassed by successfully exploiting this vulnerability?
An attacker who succesfully exploited this could bypass a user gesture requirement.
According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
An attacker must send the user a malicious file and convince them to open it.
Acknowledgements
- Mohd Huzaifa
- findbug
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
Disclaimer
Revisions
Updated acknowledgment. This is an informational change only.
Information published.