CVE-2025-48883 is a medium-severity cross-site scripting (XSS) vulnerability affecting the chrome-php project, specifically versions prior to 1.14.0. Chrome PHP is a PHP library that enables users to interact with Chrome or Chromium browsers in headless mode, facilitating automated browser control from PHP scripts. The vulnerability arises due to improper neutralization of input during web page generation, specifically involving CSS Selector expressions that are not properly encoded. This improper encoding allows malicious actors to inject and execute arbitrary JavaScript code in the context of the affected application. The vulnerability is classified under CWE-79, which pertains to improper input sanitization leading to XSS. Exploitation does not require authentication or privileges and can be triggered with user interaction, such as submitting crafted input that is used in CSS selectors without proper encoding. The CVSS 4.0 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, and user interaction needed. The scope is limited but can lead to confidentiality and integrity impacts by executing unauthorized scripts in the victim's browser context. The issue was patched in version 1.14.0 of chrome-php, and users unable to upgrade can mitigate the risk by manually encoding CSS selectors to prevent injection. No known exploits are currently reported in the wild.

For European organizations using chrome-php in their web applications or automation workflows, this vulnerability poses a risk of client-side script injection that can lead to session hijacking, data theft, or unauthorized actions performed on behalf of users. Although the vulnerability requires user interaction, it can be exploited via phishing or maliciously crafted inputs, potentially impacting web portals, internal tools, or automated testing environments. The impact is particularly relevant for organizations relying on PHP-based automation with Chrome headless, including sectors such as finance, e-commerce, and government services that may use such tools for web scraping, testing, or browser automation. Successful exploitation could compromise user data confidentiality and integrity, damage organizational reputation, and lead to regulatory compliance issues under GDPR if personal data is exposed. However, the vulnerability does not affect the availability of services directly and does not require elevated privileges, limiting the attacker's scope to the context of the affected web application or automation environment.

To mitigate CVE-2025-48883, European organizations should promptly upgrade chrome-php to version 1.14.0 or later, where the vulnerability is patched. If upgrading is not immediately feasible, developers must ensure that all CSS Selector expressions are properly encoded before use to neutralize potentially malicious input. This can be achieved by implementing strict input validation and output encoding routines specifically targeting CSS selectors within the PHP codebase. Additionally, organizations should review their use of chrome-php in automation and web applications to identify any exposure to untrusted input that could be exploited. Employing Content Security Policy (CSP) headers can further reduce the risk of XSS by restricting script execution sources. Regular security code reviews and automated scanning for XSS patterns in the code handling CSS selectors are recommended. Finally, user awareness training to recognize phishing attempts can reduce the likelihood of successful exploitation requiring user interaction.