Researcher earns Google Chrome ’s top $250K bounty for a sandbox escape vulnerability enabling remote code execution.
A researcher who goes online with the moniker ‘Micky’ earned $250,000 from Google for reporting a high-severity Chrome vulnerability. The flaw, tracked as CVE-2025-4609, resides in the Mojo IPC system, an attacker can exploit the flaw to escape the sandbox and achieve remote code execution. An attacker can trigger the flaw by tricking the target into visiting a maliciously crafted website.
Mojo is Chromium’s inter-process communication (IPC) framework designed for efficient communication between different processes within the browser. It provides a language-agnostic way to define interfaces and messages for communication across process boundaries. Mojo uses “message pipes” consisting of two endpoints (Remote and Receiver) that send and receive asynchronous messages using strongly-typed interfaces defined in special .mojom files.
The issue stems from an incorrect handle provided in unspecified circumstances in Mojo.
The researcher reported the vulnerability on April 22 and the tech giant addressed the flaw in mid-May with Chrome 136.
Google disclosed the vulnerability details after releasing the fix.
“Untrusted nodes could reflect a broker initiated transport back to a broker. This ultimately allows for handle leaks if the reflected transport was later used to deserialize another transport containing
handles in the broker.” reads the advisory. “This CL addresses this along several axes:
1. untrusted transports cannot return new links to brokers.
2. process trustiness on Windows is propagated when a transport is
deserialized from a transport.”
The researcher’s PoC exploit achieved a 70–80% success rate for sandbox escape and system command execution.
“Congratulations! The Chrome Vulnerability Rewards Program (VRP) Panel has decided to award you $250000.00 for this report.” reads the message sent by Google to the researcher that acknowledged the issue. “Rationale for this decision:
report demonstrating a Chrome sandbox escape — while arguably there is a race here, this is a very complex logic bug and high quality report with a functional exploit, with good analysis and demonstration of a sandbox escape. This is amazing work and the type of researcher we want to reward with these types of rewards and incentivize future investment in this type of research.”
In March 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Google Chromium Mojo sandbox escape vulnerability, tracked as CVE-2025-2783, to its Known Exploited Vulnerabilities (KEV) catalog.
Google released out-of-band fixes to address the high-severity security vulnerability CVE-2025-2783 in Chrome browser for Windows. The flaw was actively exploited in attacks targeting organizations in Russia.
The vulnerability is an incorrect handle provided in unspecified circumstances in Mojo on Windows.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Mojo)
