Google Patches High-Severity Chrome Vulnerability Discovered by 'Micky'
Google has patched a high-severity vulnerability in Chrome, discovered by a researcher known as 'Mickey 17'. The issue, tracked as CVE-2025-4609, was reported in April and fixed in Chrome 136, released in mid-May. The researcher earned a $250,000 reward through Google's VRP program.
The vulnerability lies in Chrome's Mojo IPC system, allowing an attacker to escape the sandbox in certain circumstances. Mickey 17's proof-of-concept exploit had a 70-80% success rate for sandbox escape and system command execution. The issue was caused by an incorrect handle provided in unspecified scenarios. Google disclosed the vulnerability details after releasing the fix, and the US Cybersecurity and Infrastructure Security Agency (CISA) added it to their catalog of known exploited vulnerabilities in March 2025.
The Chrome Vulnerability Rewards Program awarded Mickey 17 $250,000 for discovering and reporting the vulnerability. Users are advised to update their Chrome browsers to the latest version to ensure they are protected from this high-severity issue.
