Chrome Sandbox Escape Nets Security Researcher $250,000 Reward
A highly skilled security researcher, going by the moniker 'Micky', has earned a whopping $250,000 from Google for reporting a high-severity Chrome vulnerability that enabled remote code execution. The researcher's diligent efforts to identify and exploit this critical flaw in the Chromium-based browser have made them an invaluable asset to the tech giant's security community.
The vulnerability, tracked as CVE-2025-4609, resides in the Mojo IPC system, which is a crucial inter-process communication framework designed for efficient communication between different processes within the browser. However, this very same framework was exploited by attackers to escape the sandbox and achieve remote code execution.
So, how did this happen? According to experts, an attacker could trigger the flaw by tricking the target into visiting a maliciously crafted website. The issue stems from an incorrect handle provided in unspecified circumstances in Mojo. This allowed an attacker to create a "handle leak" that enabled them to reflect a broker-initiated transport back to a broker.
"Untrusted nodes could reflect a broker initiated transport back to a broker. This ultimately allows for handle leaks if the reflected transport was later used to deserialize another transport containing handles in the broker," reads the advisory from Google. "This CL addresses this along several axes: 1. untrusted transports cannot return new links to brokers. 2. process trustiness on Windows is propagated when a transport is deserialized from a transport."
The researcher's proof-of-concept (PoC) exploit achieved an impressive 70-80% success rate for sandbox escape and system command execution. This achievement solidified their position as a top-notch security researcher, deserving of the $250,000 reward.
Google's Chrome Vulnerability Rewards Program (VRP) Panel acknowledged the issue and awarded Micky with the substantial sum. "Congratulations! The Chrome Vulnerability Rewards Program (VRP) Panel has decided to award you $250,000.00 for this report," reads the message sent by Google to the researcher that acknowledged the issue.
"Rationale for this decision: report demonstrating a Chrome sandbox escape — while arguably there is a race here, this is a very complex logic bug and high-quality report with a functional exploit, with good analysis and demonstration of a sandbox escape. This is amazing work and the type of researcher we want to reward with these types of rewards and incentivize future investment in this type of research,"
However, the impact of this vulnerability didn't go unnoticed. In March 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Google Chromium Mojo sandbox escape vulnerability, tracked as CVE-2025-2783, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw was actively exploited in attacks targeting organizations in Russia.
Google released out-of-band fixes to address the high-severity security vulnerability CVE-2025-2783 in Chrome browser for Windows. This highlights the importance of responsible disclosure and the need for security researchers like Micky to continue their vital work in identifying and reporting vulnerabilities.
About the Author
Follow me on Twitter: @securityaffairs and Facebook and Mastodon