CVE-2025-12905: 
Google Chrome vulnerability analysis and mitigation

A security vulnerability identified as CVE-2025-12905 was discovered in Google Chrome's Downloads feature on Windows systems prior to version 140.0.7339.80. The vulnerability was reported by Tom Haas on July 12, 2025, and was publicly disclosed in September 2025. This security issue specifically affects the Windows version of Google Chrome (Chrome Release, NVD).

The vulnerability stems from an inappropriate implementation in the Downloads component of Google Chrome on Windows, which could allow bypass of the Mark of the Web (MOTW) security feature through a crafted HTML page. The severity of this vulnerability has been assessed as Low by Chromium security team, with a CVSS 3.1 base score of 5.4 (Medium) according to CISA-ADP. The vulnerability is classified under CWE-346 (Origin Validation Error) (NVD, Ubuntu).

The vulnerability allows a remote attacker to bypass Mark of the Web security feature via a crafted HTML page. Mark of the Web is a Windows security feature that indicates files downloaded from the internet, and bypassing it could lead to reduced security warnings for downloaded files (NVD).

Google has addressed this vulnerability in Chrome version 140.0.7339.80 for Windows. Users are advised to update their Chrome browsers to this version or later to receive the security fix. The fix was included in the September 2025 stable channel update (Chrome Release).