CVE-2025-12910 is a security vulnerability identified in Google Chrome prior to version 140.0.7339.80, related to the implementation of Passkeys, a modern authentication mechanism designed to replace passwords with cryptographic credentials. The flaw stems from an inappropriate implementation that causes sensitive information to be exposed via debug logs accessible to local users. Specifically, debug logs generated by Chrome's Passkeys feature may contain sensitive data that should not be exposed, such as authentication tokens or credential metadata. Because the vulnerability requires local access, an attacker must have the ability to execute code or commands on the victim's machine to retrieve these logs. The Chromium security team has assigned a low severity rating, indicating that the impact is limited and exploitation complexity is relatively high. No CVSS score has been assigned yet, and no known exploits have been reported in the wild. The vulnerability highlights the importance of secure logging practices and proper handling of sensitive data within browser components. Google has addressed this issue in Chrome version 140.0.7339.80, and users are advised to update to this or later versions to eliminate the risk. The vulnerability does not affect remote exploitation or server-side components, focusing instead on client-side security and local threat models.

For European organizations, the impact of CVE-2025-12910 is primarily related to the confidentiality of sensitive authentication information stored or processed on user devices running vulnerable Chrome versions. If an attacker gains local access—through physical access, malware, or insider threats—they could extract sensitive data from debug logs, potentially leading to credential theft or unauthorized access to protected resources. This could undermine user privacy and compromise secure authentication workflows, especially in sectors relying heavily on Passkeys for passwordless authentication, such as finance, healthcare, and government services. However, since exploitation requires local access and no remote attack vector is known, the overall risk to large-scale infrastructure or network availability is minimal. The vulnerability could be more impactful in environments with lax endpoint security or where devices are shared or insufficiently protected. Organizations with strict endpoint management and rapid patch deployment will face limited exposure. The threat also underscores the need for secure logging and monitoring practices to prevent leakage of sensitive information through diagnostic outputs.

European organizations should prioritize updating Google Chrome to version 140.0.7339.80 or later to remediate this vulnerability. Endpoint security policies should enforce automatic browser updates and restrict local access to user devices to trusted personnel only. Implementing strong endpoint protection solutions that detect and prevent unauthorized local access or malware execution can reduce exploitation risk. Organizations should audit and limit debug logging levels on user devices, ensuring sensitive information is not recorded or is securely protected. Regularly reviewing and hardening local access controls, including user permissions and physical security, will mitigate the threat from insider or local attackers. Additionally, organizations should educate users about the risks of local device compromise and encourage best practices for device security. Monitoring for unusual local access patterns or attempts to access debug logs can provide early detection of exploitation attempts. Finally, integrating Passkeys securely within organizational authentication frameworks and ensuring that fallback mechanisms do not expose additional vulnerabilities is recommended.