CVE-2025-48980 is a vulnerability identified in the Brave Desktop Browser versions prior to 1.83.10, specifically affecting the split view feature. The vulnerability arises because the "Open Link in Split View" context menu option does not properly enforce the SameSite cookie attribute, particularly SameSite=Strict. Normally, the SameSite=Strict attribute prevents cookies from being sent on cross-site requests, thereby mitigating cross-site request forgery (CSRF) and cross-site leakage risks. However, in this case, when a user opens a link in split view, the browser incorrectly sends SameSite=Strict cookies along with the cross-site navigation request. This behavior violates the intended security model of the SameSite attribute, potentially allowing malicious sites or actors to gain access to sensitive cookie data that should have been restricted. The vulnerability does not affect cookie integrity or availability but compromises confidentiality by leaking cookies that may contain authentication tokens or session identifiers. Exploitation requires user interaction (opening a link in split view) but no prior authentication or elevated privileges. The vulnerability is tracked under CWE-565 (Reliance on Cookies without Validation and Integrity Checking). Although no exploits are currently known in the wild, the medium CVSS score of 6.5 reflects the moderate risk posed by this issue. The flaw is particularly relevant for users and organizations that rely on Brave Browser's privacy features and handle sensitive or personal data.

For European organizations, this vulnerability poses a risk to user privacy and data confidentiality, especially for entities handling sensitive personal information such as financial institutions, healthcare providers, and e-commerce platforms. The unintended transmission of SameSite=Strict cookies during cross-site navigation could lead to session hijacking or unauthorized access to user accounts if attackers can trick users into opening malicious links in split view. This undermines the privacy guarantees that Brave Browser aims to provide, potentially exposing organizations to data protection compliance issues under GDPR. While the vulnerability does not affect system integrity or availability, the confidentiality breach could damage user trust and lead to regulatory penalties. Organizations with employees or customers using vulnerable Brave versions may face increased risk of targeted phishing or social engineering attacks leveraging this flaw. The requirement for user interaction limits mass exploitation but does not eliminate targeted attacks. Overall, the impact is moderate but significant for privacy-conscious European organizations.

The primary mitigation is to upgrade Brave Desktop Browser to version 1.83.10 or later, where the vulnerability is fixed. Organizations should enforce browser update policies to ensure all users apply this patch promptly. If immediate upgrading is not feasible, disabling the split view feature in Brave Browser settings can prevent exploitation by eliminating the flawed context menu behavior. Additionally, organizations should educate users about the risks of opening untrusted links in split view and encourage cautious browsing habits. Implementing network-level protections such as web filtering to block known malicious URLs can reduce exposure. Monitoring browser telemetry and logs for unusual cross-site navigation patterns may help detect exploitation attempts. Finally, organizations should review cookie handling policies and consider additional security controls like multi-factor authentication to mitigate potential session hijacking resulting from cookie leakage.