CVE-2025-5419

HIGH KEV

Google Chrome < 137.0.7151.68 - Out-of-bounds Read and Write in V8

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-5419 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 5, 2025. EIP tracks 7 public exploits from researchers including mistymntncop, bjrjk, XiaomingX.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-5419, a V8 JavaScript engine vulnerability involving incorrect store-store elimination optimization. The exploit leverages uninitialized memory access to achieve arbitrary read/write primitives.

Description

Out of bounds read and write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Exploits (7)

nomisec WORKING POC 92 stars
by mistymntncop · client-side
https://github.com/mistymntncop/CVE-2025-5419

This repository contains a functional exploit for CVE-2025-5419, a V8 JavaScript engine vulnerability involving incorrect store-store elimination optimization. The exploit leverages uninitialized memory access to achieve arbitrary read/write primitives.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: V8 JavaScript Engine (Chromium)
No auth needed
Prerequisites: V8 engine with specific build configuration · Ability to execute arbitrary JavaScript
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 28 stars
by bjrjk · client-side
https://github.com/bjrjk/CVE-2025-5419

This repository contains a functional exploit PoC for CVE-2025-5419, targeting a memory corruption vulnerability in V8 (Chrome's JavaScript engine). The exploit leverages type confusion and GC manipulation to achieve arbitrary read/write primitives, enabling potential RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Google Chrome V8 (version 135.0.7049.52)
No auth needed
Prerequisites: Target running vulnerable Chrome version · Ability to execute JavaScript in the target context
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-5419

This repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes methods for vulnerability detection, data extraction, and credential dumping.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Quiz Maker <= 6.7.0.56
No auth needed
Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec SCANNER 2 stars
by itsShotgun · poc
https://github.com/itsShotgun/chrome_v8_cve_checker

This repository contains a client-side JavaScript scanner that checks the Chrome version against known vulnerable versions for CVE-2025-5419 and CVE-2025-6554. It does not exploit the vulnerabilities but detects if the browser is vulnerable.

Classification
Scanner 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Google Chrome (versions before 137.0.7151.68 and 138.0.7204.96)
No auth needed
Prerequisites: User must visit the hosted page in a vulnerable Chrome browser
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by Riquelme54322 · poc
https://github.com/Riquelme54322/CVE-2025-5419

This repository contains a functional exploit PoC for CVE-2025-5419, targeting a memory corruption vulnerability in V8 (Chrome's JavaScript engine). The exploit leverages type confusion and GC manipulation to achieve arbitrary read/write primitives, enabling potential RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Racy
Target: Google Chrome V8 (version 135.0.7049.52)
No auth needed
Prerequisites: Target running vulnerable Chrome version · Ability to execute JavaScript in the target environment
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec SUSPICIOUS
by Riquelme54322 · poc
https://github.com/Riquelme54322/riquelme54322.github.io

The repository lacks actual exploit code and instead directs users to download external files from GitHub releases. The README is vague, uses marketing language, and does not provide technical details about the vulnerability.

Classification
Suspicious 95%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: V8 (unspecified version)
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec STUB
by riemannj · poc
https://github.com/riemannj/CVE-2025-5419

The repository contains only a minimal README with no exploit code, technical details, or functional proof-of-concept. It is a placeholder with no substantive content.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.0383
EPSS Percentile 88.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-06-05
VulnCheck KEV 2025-06-02
ENISA EUVD EUVD-2025-16695
CWE
CWE-125 CWE-787
Status published
Products (2)
google/chrome < 137.0.7151.68
microsoft/edge_chromium < 137.0.3296.62
Published Jun 03, 2025
KEV Added Jun 05, 2025
Tracked Since Feb 18, 2026