CVE-2025-34092

02.07.2025, 20:15

A cookie encryption bypass vulnerability exists in Google Chromes AppBound mechanism due to weak path validation logic within the elevation service. When Chrome encrypts a cookie key, it records its own executable path as validation metadata. Later, when decrypting, the elevation service compares the requesting processs path to this stored path. However, due to path canonicalization inconsistencies, an attacker can impersonate Chrome (e.g., by naming their binary chrome.exe and placing it in a similar path) and successfully retrieve the encrypted cookie key. This allows malicious processes to retrieve cookies intended to be restricted to the Chrome process only.

Confirmed in Google Chrome with AppBound Encryption enabled. Other Chromium-based browsers may be affected if they implement similar COM-based encryption mechanisms.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
VulnCheck	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-287 - Improper Authentication
When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

Vulnerability Media Exposure

[GERMAN] Google Chrome: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen
Ein Angreifer kann mehrere Schwachstellen in Google Chrome ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
Published: 2025-07-02T22:00:00+00:00

References

https://vulncheck.com/advisories/google-chrome-appbound-cookie-encryption

https://www.cyberark.com/resources/threat-research-blog/c4-bomb-blowing-up-chromes-appbound-cookie-encryption