CVE-2025-4052: 
vulnerability analysis and mitigation

A vulnerability identified as CVE-2025-4052 was discovered in Google Chrome's DevTools component. The issue was reported by vanillawebdev on March 10, 2025, and affects versions prior to 136.0.7103.59. The vulnerability stems from an inappropriate implementation in DevTools that could allow a remote attacker to bypass discretionary access control when a user is convinced to perform specific UI gestures through a crafted HTML page (Chrome Releases).

The vulnerability has been classified with a severity rating of Low by the Chromium security team. However, CISA-ADP has assigned it a CVSS 3.1 Base Score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is categorized under CWE-838 (Inappropriate Encoding for Output Context) (NVD).

The vulnerability could potentially lead to discretionary access control bypass, which might allow attackers to gain unauthorized access to protected resources. The CVSS scoring indicates potential for high impacts on confidentiality, integrity, and availability if successfully exploited (CISA-ADP).

Google has addressed this vulnerability in Chrome version 136.0.7103.59. Users are advised to update their Chrome installations to this version or later. The fix has also been incorporated into various downstream products, including Debian's chromium packages (version 136.0.7103.59-2~deb12u2) and Palo Alto Networks' Prisma Access Browser (version 136.11.9.93) (Debian Security, Palo Alto).