CVE-2025-0442: 
vulnerability analysis and mitigation

A vulnerability identified as CVE-2025-0442 was discovered in Google Chrome's Payments feature prior to version 132.0.6834.83. The vulnerability allows a remote attacker to perform UI spoofing via a crafted HTML page when a user is convinced to engage in specific UI gestures. The issue was reported by Ahmed ElMasry on November 8, 2023 (Chrome Release).

The vulnerability stems from an inappropriate implementation in the Payments system of Google Chrome. It has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. The vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing) (NVD, Palo Alto).

The vulnerability allows attackers to perform UI spoofing attacks that could lead to the theft of sensitive payment information, including shipping addresses, email addresses, and telephone numbers stored in Chrome's payment system (Chrome Issue).

The vulnerability has been patched in Chrome version 132.0.6834.83. The fix involves closing the PaymentRequest UI when picture-in-picture occludes it, preventing potential UI spoofing attacks. Users are advised to update to this version or later (Chrome Release).