CVE-2025-34090

Rejected reason: Neither filed by Chrome nor a valid security vulnerability.

CVSS

No CVSS.

References

No reference.

Configurations

No configuration.

History

24 Jul 2025, 07:15

Type	Values Removed	Values Added
References	{'url': 'https://www.cyberark.com/resources/threat-research-blog/c4-bomb-blowing-up-chromes-appbound-cookie-encryption', 'name': 'https://www.cyberark.com/resources/threat-research-blog/c4-bomb-blowing-up-chromes-appbound-cookie-encryption', 'tags': [], 'refsource': ''} ~~{'url': 'https://vulncheck.com/advisories/google-chrome-appbound-cookie-encryption', 'name': 'https://vulncheck.com/advisories/google-chrome-appbound-cookie-encryption', 'tags': [], 'refsource': ''}~~
Summary	A security bypass vulnerability exists in Google Chrome AppBound cookie encryption mechanism due to insufficient validation of COM server paths during inter-process communication. A local low-privileged attacker can hijack the COM class identifier (CLSID) registration used by Chrome's elevation service and point it to a non-existent or malicious binary. When this hijack occurs, Chrome silently falls back to the legacy cookie encryption mechanism (protected only by user-DPAPI), thereby enabling cookie decryption by any user-context malware without SYSTEM-level access. This flaw bypasses the protections intended by the AppBound encryption design and allows cookie theft from Chromium-based browsers. Confirmed in Google Chrome with AppBound Encryption enabled. Other Chromium-based browsers may be affected if they implement similar COM-based encryption mechanisms.	Rejected reason: Neither filed by Chrome nor a valid security vulnerability.

02 Jul 2025, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-02 20:15

Updated : 2025-07-24 07:15

NVD link : CVE-2025-34090

Mitre link : CVE-2025-34090

JSON object : View

Products Affected

No product.

CWE

No CWE.