CVE-2025-12725 is a vulnerability identified in the WebGPU implementation of Google Chrome on Android platforms prior to version 142.0.7444.137. The flaw is an out-of-bounds read that can be triggered by a remote attacker through a specially crafted HTML page. This out-of-bounds read leads to an out-of-bounds memory write, which can corrupt memory and potentially allow arbitrary code execution or data leakage. The vulnerability does not require any privileges or authentication but does require user interaction, such as visiting a malicious or compromised website. The WebGPU API is designed to provide high-performance graphics and computation capabilities in web browsers, and a flaw here can have significant security implications. The CVSS v3.1 base score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with an attack vector over the network, low attack complexity, no privileges required, and user interaction needed. Although no exploits have been reported in the wild yet, the severity and ease of exploitation make this a critical vulnerability to address promptly. The vulnerability was publicly disclosed on November 10, 2025, and Google has released a patched version of Chrome (142.0.7444.137) to remediate the issue.

For European organizations, this vulnerability poses a significant risk due to the widespread use of Google Chrome on Android devices. Exploitation could lead to unauthorized data access, execution of arbitrary code, or denial of service, impacting confidentiality, integrity, and availability of sensitive information and services. Sectors such as finance, healthcare, government, and critical infrastructure that rely heavily on mobile web access are particularly vulnerable. The potential for remote exploitation without authentication increases the threat surface, especially in environments where users frequently browse untrusted or external websites. Additionally, the vulnerability could be leveraged as a foothold for further network intrusion or lateral movement within corporate environments. The absence of known exploits in the wild currently provides a window for mitigation, but the high CVSS score underscores the urgency for patching.

Organizations should immediately ensure all Android devices are updated to Google Chrome version 142.0.7444.137 or later. Implement mobile device management (MDM) solutions to enforce browser updates and restrict installation of outdated or unapproved applications. Employ web filtering and URL reputation services to block access to potentially malicious or untrusted websites that could host crafted HTML pages exploiting this vulnerability. Educate users about the risks of interacting with unknown or suspicious web content, emphasizing cautious browsing behavior. For high-risk environments, consider disabling or restricting WebGPU functionality via browser policies or configurations until patches are fully deployed. Monitor network traffic for unusual patterns indicative of exploitation attempts and maintain up-to-date endpoint detection and response (EDR) tools capable of identifying memory corruption exploits. Finally, maintain an incident response plan tailored to web-based exploitation scenarios.