CVE-2025-12907

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 140.0.7339.80

Description A flaw exists in Google Chrome's Devtools due to insufficient validation of untrusted input. This can allow a remote attacker to execute arbitrary code through user interaction within Devtools. The issue stems from the 'Copy as cURL (cmd)' feature in DevTools not sanitizing the tab character (t). Because cmd.exe interprets tabs as delimiters, an attacker can inject a tab, a command separator (like '&'), and a newline character into the payload. This causes the cURL argument to be ignored and allows the execution of additional arbitrary commands when the text is pasted into the command line. A proof-of-concept involves a malicious HTML page that, when copied as cURL(cmd) and pasted into the command line, executes calc.exe.

Recommendations Update Google Chrome to version 140.0.7339.80 or later.