Multiple vulnerabilities in Microsoft Edge
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2025-47182 CVE-2025-6557 CVE-2025-47964 CVE-2025-47963 CVE-2025-6555 CVE-2025-6556 |
| CWE-ID | CWE-254 CWE-20 CWE-451 CWE-200 CWE-416 CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Microsoft Edge Client/Desktop applications / Web browsers |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Security features bypass
EUVDB-ID: #VU111981
Risk: Low
CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-47182
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to an unspecified error related to JavaScript processing. A local user with ability to execute Javascript in the impacted process can escape browser sandbox and perform unauthorized actions on the system.
MitigationInstall updates from Microsoft website.
Vulnerable software versionsMicrosoft Edge: 100.0.1185.29 - 137.0.3296.93
CPE2.3- cpe:2.3:a:microsoft:edge:100.0.1185.29:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:100.0.1185.36:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:100.0.1185.39:*:*:*:*:*:*:*
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-47182
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU111903
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-6557
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input in DevTools in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.
MitigationInstall updates from Microsoft website.
Vulnerable software versionsMicrosoft Edge: 100.0.1185.29 - 137.0.3296.93
CPE2.3- cpe:2.3:a:microsoft:edge:100.0.1185.29:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:100.0.1185.36:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:100.0.1185.39:*:*:*:*:*:*:*
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-6557
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Spoofing attack
EUVDB-ID: #VU111982
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-47964
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to the Edge browser's tab-splitting feature, which allows users to browse two tabs simultaneously, displays only the domain prefix in the address bars instead of the full URL. Such behavior can be used to spoof the address bar in the tabs and perform phishing attacks.
MitigationInstall updates from Microsoft website.
Vulnerable software versionsMicrosoft Edge: 100.0.1185.29 - 137.0.3296.93
CPE2.3- cpe:2.3:a:microsoft:edge:100.0.1185.29:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:100.0.1185.36:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:100.0.1185.39:*:*:*:*:*:*:*
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-47964
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU111983
Risk: Medium
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-47963
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the way browser handles certain files when open locally. A remote attacker can trick the victim into opening a specially crafted file that reads and shares with attacker information using JavaScript in the victim's browser associated with the vulnerable URL.
MitigationInstall updates from Microsoft website.
Vulnerable software versionsMicrosoft Edge: 100.0.1185.29 - 137.0.3296.93
CPE2.3- cpe:2.3:a:microsoft:edge:100.0.1185.29:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:100.0.1185.36:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:100.0.1185.39:*:*:*:*:*:*:*
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-47963
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free
EUVDB-ID: #VU111901
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-6555
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within Animation in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.
MitigationInstall updates from Microsoft website.
Vulnerable software versionsMicrosoft Edge: 100.0.1185.29 - 137.0.3296.93
CPE2.3- cpe:2.3:a:microsoft:edge:100.0.1185.29:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:100.0.1185.36:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:100.0.1185.39:*:*:*:*:*:*:*
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-6555
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU111902
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-6556
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient policy enforcement in Loader in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.
MitigationInstall updates from Microsoft website.
Vulnerable software versionsMicrosoft Edge: 100.0.1185.29 - 137.0.3296.93
CPE2.3- cpe:2.3:a:microsoft:edge:100.0.1185.29:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:100.0.1185.36:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:edge:100.0.1185.39:*:*:*:*:*:*:*
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-6556
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
