A security researcher known as 'Micky' has been awarded a $250,000 bug bounty from Google for discovering a critical vulnerability in Chrome, tracked as CVE-2025-4609.

This vulnerability, located in the Mojo IPC system, enables attackers to escape the browser's sandbox and execute remote code by tricking users into visiting a malicious website.

Google described the flaw as a 'very complex logic bug' and provided a comprehensive report along with a functional exploit.

The vulnerability arises from improper handling in Mojo, which can lead to handle leaks when untrusted transports are utilized.

The issue highlights significant security concerns within the Chrome browser, particularly related to incorrect handling in Mojo.

The researcher demonstrated a proof-of-concept exploit that achieved a 70-80% success rate for escaping the sandbox and executing system commands.

The $250,000 reward is the maximum for a Chrome sandbox escape and is contingent upon a high-quality report demonstrating remote code execution.

The issue was reported on April 22, 2025, and Google released a fix in mid-May 2025 with the Chrome version 136 update.

Google's advisory detailed the fixes implemented, including measures to prevent untrusted transports from returning new links to brokers.

In March 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a related vulnerability to its Known Exploited Vulnerabilities catalog, which had been actively exploited in attacks against organizations in Russia.

The Chrome Vulnerability Rewards Program acknowledged the high quality of Micky's report and the complexity of the logic bug behind the vulnerability.

Exploitation of this vulnerability typically requires the targeted user to visit a malicious website, emphasizing the importance of user awareness.