VDB
CVE-2025-48980
CVE-2025-48980
PUBLISHED
CVSS 6.5 MEDIUM
In Brave Browser Desktop versions prior to 1.83.10 that have the split view feature enabled, the "Open Link in Split View" context menu item did not respect the SameSite cookie attribute. Therefore SameSite=Strict cookies would be sent on a cross-site navigation using this method.
EPSS 0.05% · 14.8th percentile
Risk Scores
CVSS 3.0
6.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score
0.05%
14.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Brave | Desktop Browser | 1.83.10 |
Exploit Intelligence
- SameSite restrictions are lifted, and SameSite:Strict cookie are being sent. (hackerone)
- SameSite restrictions are lifted, and SameSite:Strict cookie are being sent. (hackerone)
- SameSite restrictions are lifted, and SameSite:Strict cookie are being sent. (hackerone)
- CIRCL seen: CVE-2025-48980 (circl-sighting)
- https://hackerone.com/reports/3253725 (cve.org)
Timeline
- CVE Published
- Oct 15, 2025 PoC Published
- Oct 31, 2025 EPSS Score
- Oct 31, 2025 PoC Published
- Nov 6, 2025 EPSS Score
- Nov 11, 2025 EPSS Score
- Nov 17, 2025 EPSS Score
- Nov 22, 2025 EPSS Score
- Nov 28, 2025 EPSS Score
- Dec 3, 2025 EPSS Score
- Dec 9, 2025 EPSS Score
- Dec 14, 2025 EPSS Score