Wiz
Vulnerability DatabaseCVE-2025-34091

CVE-2025-34091
Google Chrome vulnerability analysis and mitigation

Overview

A padding oracle vulnerability exists in Google Chrome's AppBound cookie encryption mechanism due to observable decryption failure behavior in Windows Event Logs when handling malformed ciphertext in SYSTEM-DPAPI-encrypted blobs. The vulnerability was discovered in July 2025 and affects Google Chrome with AppBound Encryption enabled, as well as potentially other Chromium-based browsers that implement similar COM-based encryption mechanisms (VulnCheck Advisory, CyberArk Blog).

Technical details

The vulnerability exploits a padding oracle attack against Chrome's AppBound cookie encryption implementation. A local attacker can repeatedly send malformed ciphertexts to the Chrome elevation service and distinguish between padding and MAC errors through Windows Event Log messages. This allows partial decryption of the SYSTEM-DPAPI layer and eventual recovery of the user-DPAPI encrypted cookie key. The attack, dubbed C4 (Chrome Cookie Cipher Cracker), takes approximately 16 hours to complete due to multiple file operations and IPC requests required for each guess. The vulnerability has been assigned a CVSS v4.0 base score of 8.8 HIGH with vector CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (VulnCheck Advisory).

Impact

This vulnerability undermines the core purpose of AppBound Encryption by enabling low-privileged cookie theft through cryptographic misuse and verbose error feedback. Additionally, the attack technique can potentially be used to decrypt any SYSTEM-DPAPI encrypted data, expanding the impact beyond just Chrome cookies (CyberArk Blog).

Mitigation and workarounds

As of June 23rd, 2025, Google has implemented a partial solution in Chrome but it is disabled by default. A full solution is planned for a future release. No specific workarounds have been published (CyberArk Blog).

Community reactions

Microsoft initially rejected the vulnerability report, citing low practical exploitability due to environmental constraints. However, the security community, through CyberArk's research, has demonstrated the significance of the vulnerability and its broader implications for DPAPI encryption in Windows (CyberArk Blog).

Additional resources

SourceThis report was generated using AI

Related Google Chrome vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2024-7024CRITICAL9.6
  • Google ChromeGoogle Chrome
  • chromium
NoYesSep 23, 2024
CVE-2024-9859HIGH8.8
  • Google ChromeGoogle Chrome
  • chromium
NoYesOct 11, 2024
CVE-2025-34092N/AN/A
  • Google ChromeGoogle Chrome
  • chromium
NoYesJul 02, 2025
CVE-2025-34091N/AN/A
  • Google ChromeGoogle Chrome
  • cpe:2.3:a:google:chrome
NoYesJul 02, 2025
CVE-2025-34090N/AN/A
  • Google ChromeGoogle Chrome
  • cpe:2.3:a:google:chrome
NoYesJul 02, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo