A script injection vulnerability within the Headless mode of Google Chrome could enable an attacker to execute malicious code, threatening system integrity.

This is a script injection vulnerability affecting the Headless mode functionality of Google Chrome. An unauthenticated attacker can leverage this to inject and execute arbitrary scripts, potentially manipulating browser automation tasks or exposing sensitive headless environment data.

Given the widespread use of headless browsers for automated testing and web scraping, this vulnerability could be leveraged to compromise automated workflows. With a CVSS score of 8.8, the impact includes unauthorized data access and the potential for persistent control over the automated environment.

Immediate Action: Upgrade Google Chrome to version 149 or later to patch the underlying script injection flaw.

Proactive Monitoring: Audit automated tasks and headless browser deployments for unusual script execution patterns or unexpected external connections.

Compensating Controls: Isolate automated browser environments from the internal network and limit the permissions of the service accounts running headless tasks.

Public Exploit Available: false

Organizations relying on automated browser testing must prioritize this update, as headless environments are often overlooked during standard patching cycles. Updating to the latest version is the only effective way to neutralize this injection vulnerability.