Google Chrome is the browser of choice for billions, but even the most trusted software can contain mistakes. One such mistake—CVE-2025-14373—was recently found in the toolbar of Chrome for Android. Before version 143..7499.110, this bug could let a remote attacker spoof the domain name you see in the address bar (toolbar) using a specially crafted web page.
This means someone could trick you into thinking you’re on a legitimate site, while you’re actually on a malicious one. In this article, we’ll explain how this vulnerability was exploited, show you how it works with code snippets, and provide resources for further reading.
What is CVE-2025-14373?
CVE-2025-14373 is a security vulnerability discovered in the Chrome for Android toolbar. The bug improperly handled URL updates and navigation, allowing an attacker to show a fake or misleading domain name in the address bar while loading content from a totally different site.
Imagine clicking a link, Chrome says you’re at "https://secure-bank.com", but in fact, you’re on a phishing site.
Affected versions: Chrome for Android before 143..7499.110
Official advisory:
- Chromium Security Advisory (search for corresponding release notes)
How Does the Exploit Work?
The attacker creates a web page with a trick: they load their own phishing page in an iframe (or by some JavaScript navigation), but the toolbar address bar still displays the target trusted domain.
User visits attacker’s crafted page (attacker.com).
2. The page does a fullscreen iframe or a navigation trick that causes the address bar (toolbar) to keep showing the old, legitimate URL (like bank.com).
The malicious content is displayed, while the toolbar still shows the trusted address.
Chrome’s toolbar was not clearing or updating the address shown to the user after some kinds of JavaScript-driven or embedded navigations—leaving the door open to deception.
Demonstration: Simulated Exploit Code
Here’s a simple HTML/JavaScript snippet that demonstrates how such a domain spoofing attack could look (before the fix):
<!DOCTYPE html>
<html>
<head>
<title>Fake Bank Page</title>
<style>
body, html { margin: ; height: 100%; overflow: hidden; }
iframe { border: none; width: 100vw; height: 100vh; }
</style>
</head>
<body>
<iframe id="phishFrame" src="https://attacker.com/phish.html"></iframe>;
<script>
// Attempt to keep toolbar showing 'https://bank.com';
// This approach might exploit buggy URL updates
history.replaceState(null, '', 'https://bank.com';);
</script>
</body>
</html>
> Note: This snippet is illustrative. The real-world attack may use more advanced navigation tricks to keep the toolbar from updating. The bug existed in Chrome’s failure to update the visible address after certain history or iframe manipulations.
Why Is This Dangerous?
Most mobile users trust what’s in the toolbar—they check the lock icon or domain before entering login credentials. With this bug:
- Attackers could make phishing pages look exactly like trusted sites, complete with the correct address in the toolbar.
Discovery: 2025 (exact date as per public CVE, often disclosed privately first)
- Patched: 143..7499.110 (see Chrome Release Blog)
Severity: Medium, likely because a user still had to visit the malicious site
Always update Chrome to the latest version!
Check your version: open Chrome > Settings > About Chrome.
Chromium Bug Tracker:
CVE-2025-14373 in Chromium *(search for updates and technical breakdown)*
Chrome Release Notes:
Google Security Blog:
Chromium Security Blog
- OWASP Domain Spoofing
Conclusion
CVE-2025-14373 highlights how even a toolbar—a small but crucial detail—can have a huge impact on security. Google patched the issue fast, but it’s a reminder for everyone: keep your browsers updated, and always be careful where you enter passwords.
Stay safe, always check your Chrome version, and follow Google’s security tips!
If you liked this breakdown or have further questions about CVE-2025-14373, let us know in the comments!
Timeline
Published on: 12/12/2025 19:20:42 UTC
Last modified on: 12/19/2025 15:33:52 UTC