Vulnerability

CERT-In Vulnerability Note CIVN-2025-0354
Multiple Vulnerabilities in Microsoft Edge

Original Issue Date:December 08, 2025

Severity Rating: HIGH

Software Affected

Microsoft Edge Stable Channel (Chromium-based) versions prior to 143.0.3650.66

Overview

Multiple vulnerabilities have been reported in Microsoft Edge (Chromium-based) which could allow a remote attacker to execute arbitrary code, bypass security restrictions, perform spoofing attacks, gain elevated privileges, cause denial of service condition or access to sensitive information on the targeted system.

Target Audience:
All end-user organizations and individuals using Microsoft Edge (Chromium-based).

Risk Assessment:
High risk of full system compromise, unauthorized access to sensitive data, malware deployment, authentication bypass, or system instability.

Impact Assessment:
Potential for arbitrary code execution, service disruption, privilege escalation, or sensitive data disclosure.

Description

Microsoft Edge (Chromium-based) is a web browser developed by Microsoft using the Chromium engine, offering fast performance, enhanced security, and compatibility with modern web standards while integrating with Microsoft services.

Multiple vulnerabilities exist in Microsoft Edge (Chromium-based) due to spoofing, inappropriate implementation issues in multiple components (such as Passwords, WebRTC, Downloads, Split View, DevTools, Google Updater); race conditions and type confusion in V8; use-after-free in Media Stream and Digital Credentials; and bad cast in Loader component. A remote attacker could exploit these vulnerabilities by persuading a victim to visit a specially crafted or malicious webpage.

Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code, bypass security restrictions, perform spoofing attacks, gain elevated privileges, cause denial of service condition or access to sensitive information on the targeted system.

Solution

Apply the security updates released by Microsoft:
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#december-4-2025

Vendor Information

References

CVE Name
CVE-2025-13630
CVE-2025-13631
CVE-2025-13632
CVE-2025-13633
CVE-2025-13634
CVE-2025-13635
CVE-2025-13636
CVE-2025-13637
CVE-2025-13638
CVE-2025-13639
CVE-2025-13640
CVE-2025-13720
CVE-2025-13721
CVE-2025-62223

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India