SB2025062705 - Multiple vulnerabilities in Microsoft Edge

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Security features bypass (CVE-ID: CVE-2025-47182)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to an unspecified error related to JavaScript processing. A local user with ability to execute Javascript in the impacted process can escape browser sandbox and perform unauthorized actions on the system. 

2) Input validation error (CVE-ID: CVE-2025-6557)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input in DevTools in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and gain access to sensitive information.

3) Spoofing attack (CVE-ID: CVE-2025-47964)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to the Edge browser's tab-splitting feature, which allows users to browse two tabs simultaneously, displays only the domain prefix in the address bars instead of the full URL. Such behavior can be used to spoof the address bar in the tabs and perform phishing attacks. 

4) Information disclosure (CVE-ID: CVE-2025-47963)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the way browser handles certain files when open locally. A remote attacker can trick the victim into opening a specially crafted file that reads and shares with attacker information using JavaScript in the victim's browser associated with the vulnerable URL. 

5) Use-after-free (CVE-ID: CVE-2025-6555)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within Animation in Google Chrome. A remote attacker can trick the victim into visiting a specially crafted web page, trigger a use-after-free error and gain access to sensitive information.

6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-6556)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient policy enforcement in Loader in Google Chrome. A remote attacker can trick the victim to visit a specially crafted website, bypass implemented security measures and gain access to sensitive information.

Remediation

Install update from vendor's website.

References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-47182
• https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-6557
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-47964
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-47963
• https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-6555
• https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-6556