CVE-2025-34090: 
Google Chrome vulnerability analysis and mitigation

A security bypass vulnerability exists in Google Chrome AppBound cookie encryption mechanism due to insufficient validation of COM server paths during inter-process communication. This vulnerability, identified as CVE-2025-34090, was discovered in July 2025 and affects Chromium-based browsers with AppBound Encryption enabled. The vulnerability allows a local low-privileged attacker to bypass the protections intended by the AppBound encryption design (MITRE CVE, VulnCheck Advisory).

The vulnerability stems from a flaw in the COM class identifier (CLSID) registration validation used by Chrome's elevation service. When exploited, Chrome silently falls back to the legacy cookie encryption mechanism, which is only protected by user-DPAPI. The vulnerability has received a CVSS v4.0 score of 9.3 (CRITICAL) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. The vulnerability is associated with CWE-426 (Untrusted Search Path) and CWE-276 (Incorrect Default Permissions) (VulnCheck Advisory, CyberArk Research).

The vulnerability enables cookie decryption by any user-context malware without requiring SYSTEM-level access. This effectively bypasses the AppBound encryption design's protections and allows cookie theft from Chromium-based browsers, potentially exposing sensitive user session data (MITRE CVE, CyberArk Research).

As of June 23rd, 2025, Google has implemented a partial solution in Chrome, but it is disabled by default. A complete solution is planned for a future release. Users and administrators should monitor for updates and apply them when available (CyberArk Research).

The vulnerability was discovered by Ari Novick of CyberArk Labs and responsibly disclosed to Google. The discovery has highlighted significant concerns about the security of browser cookie encryption mechanisms and the potential implications for user privacy (CyberArk Research).