Impact
An attacker can exploit insufficient validation of untrusted input in the WebXR feature of Google Chrome to bypass navigation restrictions by serving a specially crafted HTML page. The flaw allows the attacker to redirect the user to arbitrary URLs, potentially leading to phishing or other malicious content. This represents a weakness in input validation and authorization control, permitting unauthorized navigation flows that the browser should have prevented.
Affected Systems
Google Chrome web browsers on all releases prior to version 150.0.7871.47 are vulnerable. Chromes that have not applied the 150.0.7871.47 update remain at risk.
Risk and Exploitability
The severity is classified as low, with the Chrome security team rating it low and the EPSS score not available. The flaw is not listed in the CISA KEV catalog. The attack vector is remote, via a crafted web page served to a user’s browser. No elevated privileges or system access are needed beyond rendering the page. Given the lack of publicly disclosed exploits, the likelihood of widespread exploitation remains modest.
OpenCVE Enrichment