CVE-2025-12910 is a vulnerability identified in Google Chrome's Passkeys implementation prior to version 140.0.7339.80. The issue stems from an inappropriate implementation that causes sensitive information to be exposed via debug logs accessible to local attackers. Passkeys are a modern authentication mechanism designed to replace passwords with cryptographic credentials, enhancing security. However, in this case, debug logs inadvertently contain sensitive data related to Passkeys, which could include authentication tokens or cryptographic material. The vulnerability is classified under CWE-1295, indicating improper implementation leading to information exposure. The CVSS v3.1 base score is 6.2 (medium severity), with the vector AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, meaning the attack requires local access but no privileges or user interaction, and impacts confidentiality significantly without affecting integrity or availability. No public exploits have been reported, suggesting limited active exploitation. The flaw primarily threatens confidentiality by allowing local attackers to glean sensitive authentication information, potentially facilitating further attacks or unauthorized access if combined with other vulnerabilities or social engineering. The vulnerability was published on November 7, 2025, and no patch links were provided in the source, but upgrading to Chrome 140.0.7339.80 or later is implied as the fix. This vulnerability highlights the importance of secure logging practices, especially for sensitive authentication components like Passkeys.

For European organizations, the primary impact of CVE-2025-12910 is the potential leakage of sensitive authentication information through debug logs accessible to local attackers. This could lead to unauthorized access if attackers leverage the exposed data to impersonate users or bypass authentication mechanisms. Organizations with shared or poorly secured workstations, or environments where local access controls are lax, are at higher risk. The vulnerability does not directly affect system integrity or availability, but the confidentiality breach could facilitate subsequent attacks, including lateral movement or privilege escalation. Sectors with high security requirements, such as finance, government, and critical infrastructure, may face increased risk due to the sensitivity of the data potentially exposed. Additionally, organizations relying heavily on Chrome for authentication workflows using Passkeys must prioritize remediation to prevent exploitation. Since exploitation requires local access, remote attackers are less likely to benefit directly, but insider threats or malware with local execution capabilities remain concerns. The absence of known exploits reduces immediate risk but does not eliminate the need for prompt mitigation.

1. Upgrade all Google Chrome installations to version 140.0.7339.80 or later as soon as possible to ensure the vulnerability is patched. 2. Restrict local access to systems running vulnerable Chrome versions by enforcing strict physical security and user access controls. 3. Limit access to debug logs by configuring logging settings to avoid storing sensitive Passkey information or by securing log files with appropriate permissions. 4. Implement endpoint detection and response (EDR) solutions to monitor for suspicious local activity that could indicate attempts to access debug logs or exploit the vulnerability. 5. Educate users and administrators about the risks of local access vulnerabilities and the importance of maintaining updated software. 6. Review and harden authentication workflows involving Passkeys to detect anomalies potentially stemming from leaked credentials. 7. Conduct regular audits of local system access and log file permissions to ensure compliance with security policies. 8. Consider deploying application whitelisting and privilege management to reduce the risk of unauthorized local code execution that could exploit this vulnerability.