Impact
Insufficient policy enforcement in Chrome’s FileSystem API allows a remote attacker to bypass the browser’s discretionary access control by loading a specially crafted HTML page. This flaw permits the attacker to read or write files not explicitly granted by the user, potentially leading to data leakage or modification. The weakness is an improper access control issue (CWE‑284).
Affected Systems
Google Chrome, any installation running a version earlier than 150.0.7871.47. The vulnerability was present in all Chrome builds before that patch release.
Risk and Exploitability
The CVSS score is not disclosed, and the EPSS metric is unavailable; the flaw is not listed in the CISA KEV catalog. The description rates it as low Chromium severity, indicating a modest overall risk. The attack vector is a crafted HTML served over the network, so an attacker must get a user to open or view the malicious page. Once the page is loaded, the attacker can read or modify files that normally fall under Chrome’s sandbox protections.
OpenCVE Enrichment