Impact
This vulnerability arises from insufficient policy enforcement within the DevTools component of Google Chrome. It is classified as CWE-346 and results in a same-origin policy bypass. The flaw essentially allows a maliciously crafted web page to cause Chrome's development tools to ignore the same-origin restriction, potentially permitting the page to access cross-origin resources that would otherwise be blocked.
Affected Systems
Google Chrome stable channel users running any version earlier than 149.0.7827.115 are affected. The vulnerability exists in all installations that have not received the most recent update.
Risk and Exploitability
The CVSS score of 6.5 indicates a medium severity risk, while the EPSS score of less than 1% points to a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, implying no widespread exploitation has been reported. An attacker can activate the flaw by delivering a specially crafted HTML page to a victim’s browser, exploiting the DevTools component without requiring elevated user privileges.
OpenCVE Enrichment
Debian DSA