CVE-2025-48980 is a vulnerability identified in the Brave Desktop Browser prior to version 1.83.10, specifically affecting the split view feature. The flaw stems from the "Open Link in Split View" context menu option failing to respect the SameSite cookie attribute, particularly SameSite=Strict. Normally, SameSite=Strict cookies are designed to prevent cookies from being sent during cross-site navigations, thereby mitigating cross-site request forgery (CSRF) and other cross-site attacks. However, due to this vulnerability, when a user opens a link in split view, the browser erroneously sends these cookies even though the navigation is cross-site. This behavior undermines the intended security model of the SameSite attribute, potentially exposing sensitive session cookies to third-party sites. The vulnerability does not require prior authentication but does require user interaction to trigger the context menu action. The CVSS v3.0 score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but user interaction is necessary. The impact is primarily on confidentiality, as attackers could leverage this flaw to gain unauthorized access to session cookies, possibly leading to session hijacking or user tracking. No known exploits have been reported in the wild as of the publication date. The Brave development team has addressed this issue in version 1.83.10, and users are advised to update promptly. The vulnerability highlights the importance of strict enforcement of cookie policies in browser features that enable cross-site interactions.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive session cookies when users interact with malicious or compromised websites via the Brave browser's split view feature. This exposure increases the risk of session hijacking, user impersonation, and privacy violations, particularly for organizations relying on web-based authentication and services. Sectors such as finance, healthcare, and government, which handle sensitive personal data, could face increased risks of data breaches or regulatory non-compliance if user sessions are compromised. Additionally, organizations with remote or hybrid workforces using Brave Browser might inadvertently expose internal or customer session data. Although the vulnerability requires user interaction, targeted phishing or social engineering campaigns could exploit this vector. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks. Overall, the impact is moderate but significant enough to warrant timely remediation to protect confidentiality and maintain trust.

1. Update Brave Desktop Browser to version 1.83.10 or later immediately to apply the official fix that enforces the SameSite cookie attribute correctly in the split view feature. 2. If updating is not immediately feasible, disable the split view feature in Brave Browser settings to prevent triggering the vulnerable code path. 3. Educate users about the risks of opening untrusted links in split view or any browser feature that enables cross-site navigation with cookies. 4. Implement additional web application security measures such as multi-factor authentication (MFA) to reduce the impact of potential session hijacking. 5. Monitor network and endpoint logs for unusual cross-site cookie transmissions or suspicious user interactions that could indicate exploitation attempts. 6. Encourage the use of browser extensions or security tools that enhance cookie management and privacy controls. 7. Coordinate with IT and security teams to ensure timely patch management and user awareness campaigns focused on this vulnerability.