Impact
The vulnerability was discovered in Google Chrome versions prior to 150.0.7871.47. It results from insufficient policy enforcement for extensions. An attacker who persuades a user to install a malicious extension can craft the extension to bypass the browser's content security policy, enabling execution of arbitrary scripts under the extension or target page’s context. The flaw is rated low severity by Chromium security.
Affected Systems
Google Chrome browsers on any operating system and device. All versions before 150.0.7871.47 are vulnerable.
Risk and Exploitability
Exploitation requires the user to install a malicious extension, so it depends on successful social engineering or phishing. EPSS is not available and the issue is not listed in KEV, but the low CVSS score indicates low overall risk. Nonetheless, because an extension can break CSP controls, the flaw could facilitate broader attacks such as cross‑site scripting or data exfiltration. The attack path involves luring a user to install a malicious extension that abuses Chrome’s extension APIs to override CSP enforcement.
OpenCVE Enrichment