A security researcher, operating under the alias ‘Micky’, was awarded a top-tier bounty of $250,000 from Google for discovering a critical vulnerability in the Google Chrome browser. The flaw, designated as CVE-2025-4609, is a sandbox escape vulnerability located within the browser’s Mojo IPC (Inter-Process Communication) system. This vulnerability could be exploited to achieve remote code execution on a user’s system. The researcher’s Proof of Concept (PoC) demonstrated a high success rate, between 70% and 80%, for escaping the Chrome sandbox and executing system commands, highlighting the severity and effectiveness of the exploit.
The core of the vulnerability lies in the Mojo IPC framework, which is a crucial component of the Chromium project. Mojo is designed to facilitate communication between different processes within the browser, providing a structured and secure method for data exchange. It uses “message pipes” with two endpoints to send and receive asynchronous messages, with interfaces defined in special .mojom files. The specific issue reported by Micky was a complex logic bug where an incorrect handle was provided in unspecified circumstances. This flaw could be triggered by an attacker by luring a user to a specially crafted malicious website, initiating a process that could lead to a breach of the browser’s security sandbox.
Upon receiving the report on April 22, Google’s Chrome Vulnerability Rewards Program (VRP) panel quickly acknowledged the severity of the bug. The company’s internal message to the researcher praised the work, stating it was “amazing” and exactly the kind of research they want to incentivize. Google responded by addressing the flaw in mid-May with the release of Chrome version 136. Following the fix, Google released a public advisory detailing the vulnerability, noting that untrusted nodes could reflect a broker-initiated transport back to the broker, which could lead to handle leaks. The fix involved two key changes: preventing untrusted transports from returning new links to brokers and ensuring process trustiness on Windows is correctly propagated when a transport is deserialized.
This recent bug bounty award comes on the heels of another significant Mojo vulnerability. In March 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a different Google Chromium Mojo sandbox escape vulnerability, CVE-2025-2783, to its Known Exploited Vulnerabilities (KEV) catalog. This earlier flaw was also an incorrect handle issue in Mojo on Windows and had been actively exploited in attacks targeting organizations in Russia. Google had to release out-of-band fixes to address this high-severity security vulnerability, underscoring the critical nature of flaws within the Mojo IPC system.
The two distinct Mojo vulnerabilities in a short period highlight the ongoing security challenges in complex software like web browsers. Google’s bug bounty program, with a substantial payout of $250,000 for Micky’s discovery, plays a vital role in encouraging security researchers to find and report these critical vulnerabilities. This proactive approach helps the company patch flaws before they can be widely exploited by malicious actors. The successful exploitation of these vulnerabilities, as seen in the attacks targeting Russian organizations, demonstrates how crucial it is to stay updated with the latest browser versions to ensure protection against such sophisticated attacks.
Reference:
