CVE-2025-0446: 
vulnerability analysis and mitigation

A vulnerability in Google Chrome's Extensions implementation (CVE-2025-0446) was discovered prior to version 132.0.6834.83. The vulnerability allows a remote attacker to perform UI spoofing through a crafted Chrome Extension when a user is convinced to engage in specific UI gestures. The issue was reported by Hafiizh on August 15, 2024, and was assigned a Low severity rating by the Chromium security team (Chrome Release).

The vulnerability is related to inappropriate implementation in the Extensions component of Google Chrome, specifically allowing extension popups to render over PWA (Progressive Web App) prompts. This UI spoofing vulnerability is similar to previous issues in Chrome's extension system. The vulnerability received a CVSS 3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, and was classified under CWE-290 (Authentication Bypass by Spoofing) (NVD).

The vulnerability could allow malicious extensions to trick users into interacting with PWA installation dialogs in unintended ways. While the impact is considered Low severity, it could potentially lead to user confusion and unintended interactions with security-sensitive dialogs (Chromium Issue).

The vulnerability has been fixed in Chrome version 132.0.6834.83 and later. The fix involves marking certain dialogs, including the PWA installation dialog, as security-sensitive for extensions, which prevents extension bubbles from rendering above these dialogs (Chrome Release).

The Chrome Vulnerability Rewards Program (VRP) Panel awarded the researcher $1,000 for reporting this security issue, acknowledging its lower impact nature but still recognizing its importance for Chrome's security (Chromium Issue).