CVE-2025-13107 - UI Spoofing in Google Chrome’s Compositing System Explained

In early 2025, a vulnerability tracked as CVE-2025-13107 was disclosed in Google Chrome. This flaw is related to the browser's *compositing* subsystem, which is responsible for rendering different parts of a web page. While not as high-risk as some browser flaws, this bug could have let remote attackers create convincing fake browser UI elements, misleading users (also known as UI spoofing). Even though it’s marked as *low* severity, understanding how it works is valuable for developers, security folks, and anyone curious about browser security.

In this post, I’ll explain what was wrong in Chrome, show you a basic example, and link to all relevant references, so you can go deeper if you want.

What Happened? Understanding the Bug

Before Chrome version 140..7339.80, there was an *inappropriate implementation* in how the compositing part of Chrome handled UI layers. Compositing is the stage where pieces of a web page are drawn and then combined to show you the final output.

By exploiting this bug, an attacker could serve you a specially crafted HTML page. This page would trick the browser into placing fake UI elements—like address bars, permission prompts, or overlays—on the screen, making them look like they’re from Chrome itself.

Here's what makes this dangerous: If a phishing site can make a fake dialog that looks just like Chrome's own, some users might end up sharing sensitive information or taking unsafe actions.

How Did Attackers Use the Bug?

The core issue is that web content could escape its normal boundaries and appear exactly where Chrome’s own controls (like address bar or permission dialogs) show up.

A classic trick is to set up a website that, when opened, expands a fake UI element all the way to the top of the browser window, hiding the real UI and showing a fake one. This typically shouldn’t be possible—the browser is supposed to stop web pages from painting over its own chrome (the term for user interface elements like the toolbar).

This exploit involves manipulating CSS and positioning, sometimes even taking advantage of fullscreen API behavior or edge cases in how Chrome recycles UI layers.

Simple Example: Faking a Chrome Permission Popup

Here’s a quick HTML snippet that mimics a Chrome location permission dialog. With the bug, attackers could place this at the top of the page, sometimes overlapping the *real* browser controls.

<!DOCTYPE html>
<html>
<head>
<style>
#spoofed-ui {
    position: fixed;
    top: ; left: ; right: ;
    width: 100vw;
    background: #f8f9fa;
    border-bottom: 1px solid #dadce;
    box-shadow:  2px 6px rgba(60,64,67,.15);
    font-family: Arial, sans-serif;
    z-index: 9999;
    padding: 16px;
}
.button {
    background: #1a73e8;
    color: #fff;
    padding: 6px 18px;
    border: none;
    border-radius: 4px;
    margin-right: 10px;
    cursor: pointer;
}
</style>
</head>
<body>
<div id="spoofed-ui">
    <span style="margin-right: 16px;"><img src="chrome_icon.png" style="width:24px;vertical-align:middle;"> www.trusted-site.com wants to know your location</span>
    <button class="button">Allow</button>
    <button class="button" style="background:#eee; color:#202124;">Block</button>
</div>
<p>Danger: This is just a fake bar built with HTML, not real Chrome UI!</p>
</body>
</html>

This code by itself doesn’t attack Chrome, but with the compositing bug, it could be aligned *exactly* where real popups appear, potentially hiding the real bar. In the worst cases, it appeared over parts of the UI that should always remain chrome-only.

References and Patch Details

- Chromium issue tracker: CVE-2025-13107
- Chrome Release Notes – Check for 140..7339.80
- Chromium Security Policy
- UI Spoofing: What It Means

How to Stay Safe

- Update Chrome: Always keep your browser up to date. This bug is fixed in all new versions after 140..7339.80.
- Check for Real UI: If something prompts you for permissions, look closely. The *real* Chrome dialogs can't be clicked and dragged by the website itself, and usually have subtle animation or positioning that's tricky to fake.

Conclusion

CVE-2025-13107 shows how *even small bugs can lead to tricky security risks*. UI spoofing isn't as dangerous as remote code execution, but clever attackers can chain such flaws with phishing or social engineering for serious consequences. Keep your browser updated, and remember—not every popup is what it seems.

Stay safe online!

*This article is authored exclusively for educational purposes. All code and descriptions here should not be misused.*

Timeline

Published on: 11/14/2025 03:15:56 UTC
Last modified on: 11/17/2025 12:18:25 UTC