CVE-2025-48883: 
PHP vulnerability analysis and mitigation

Chrome PHP, a library that allows users to control chrome/chromium in headless mode from PHP, was found to have a security vulnerability (CVE-2025-48883) where CSS Selector expressions were not properly encoded. This vulnerability was discovered in May 2025 and affects all versions prior to 1.14.0. The issue could potentially lead to cross-site scripting (XSS) vulnerabilities when handling CSS selector expressions (GitHub Advisory).

The vulnerability stems from improper encoding of CSS Selector expressions in the CssSelector class. When processing selectors like 'input[type="password"]', the lack of proper encoding could result in JavaScript syntax errors and potential script injection. The issue was particularly concerning because it allowed attackers to inject arbitrary JavaScript code through the selector parameter, which would be executed in the context of the browser (GitHub Pull).

The vulnerability could allow remote attackers to perform cross-site scripting (XSS) attacks if they could influence the contents of CSS selectors passed to the library. This could lead to arbitrary JavaScript execution within the browser context, potentially allowing attackers to steal sensitive information or perform unauthorized actions (GitHub Advisory).

The vulnerability has been patched in version 1.14.0 of the Chrome PHP library. For users unable to upgrade immediately, a workaround is available by manually encoding selectors using json_encode() before passing them to the library. The recommended workaround code is: if (\version_compare(\Composer\InstalledVersions::getVersion('chrome-php/chrome'), '1.14.0', '<')) { $selector = \json_encode($selector); } (GitHub Advisory).

The vulnerability was treated as a high-severity security issue by the project maintainers. The fix was implemented as a security patch in a minor release, breaking with semantic versioning conventions but following common security practice for addressing critical vulnerabilities (GitHub Pull).