We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-34090

Google Chrome AppBound Cookie Encryption Bypass via COM Hijacking



Description

A security bypass vulnerability exists in Google Chrome AppBound cookie encryption mechanism due to insufficient validation of COM server paths during inter-process communication. A local low-privileged attacker can hijack the COM class identifier (CLSID) registration used by Chrome's elevation service and point it to a non-existent or malicious binary. When this hijack occurs, Chrome silently falls back to the legacy cookie encryption mechanism (protected only by user-DPAPI), thereby enabling cookie decryption by any user-context malware without SYSTEM-level access. This flaw bypasses the protections intended by the AppBound encryption design and allows cookie theft from Chromium-based browsers. Confirmed in Google Chrome with AppBound Encryption enabled. Other Chromium-based browsers may be affected if they implement similar COM-based encryption mechanisms.

Reserved 2025-04-15 | Published 2025-07-02 | Updated 2025-07-03 | Assigner VulnCheck


CRITICAL: 9.3CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Problem types

CWE-426 Untrusted Search Path

CWE-276 Incorrect Default Permissions

Product status

Default status
unaffected

127 before 129
affected

Credits

Ari Novick of CyberArk Labs finder

References

www.cyberark.com/...ng-up-chromes-appbound-cookie-encryption technical-description third-party-advisory

vulncheck.com/...es/google-chrome-appbound-cookie-encryption third-party-advisory

cve.org (CVE-2025-34090)

nvd.nist.gov (CVE-2025-34090)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-34090

Support options

Helpdesk Chat, Email, Knowledgebase