CVE-2025-0996: 
vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-0996) was discovered in Google Chrome's Browser UI on Android devices prior to version 133.0.6943.98. The vulnerability, reported by yuki yamaoto on January 23, 2025, allows remote attackers to spoof the contents of the Omnibox (URL bar) through a crafted HTML page (Chrome Release, NVD).

The vulnerability has been assigned CWE-1007 (Insufficient Visual Distinction of Homoglyphs Presented to User). According to the CVSS 3.1 scoring by CISA-ADP, it received a base score of 5.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD).

The vulnerability could allow attackers to deceive users by spoofing the URL displayed in the browser's address bar, potentially leading to phishing attacks or other forms of user deception. This could result in low-level compromises of both confidentiality and integrity, though availability is not affected (NVD, Palo Alto).

Google has addressed this vulnerability in Chrome version 133.0.6943.98 for Android. Users are advised to update their browsers to this version or later to mitigate the risk (Chrome Release).