A security vulnerability has been identified in Brave Browser, potentially allowing malicious websites to masquerade as trusted ones during file upload or download operations.
The issue, tracked under CVE-2025-23086, affects specific versions of the Brave browser on desktop platforms, creating a risk for unsuspecting users.
Brave Browser Vulnerability
The vulnerability impacts Brave Browser versions 1.70.x to 1.73.x. A feature intended to display a website’s origin in the operating system’s file selector dialog failed to correctly infer the origin in certain scenarios.
This flaw, when exploited alongside an open redirector vulnerability on a trusted website, could allow malicious actors to initiate file downloads that appear to originate from the trusted site.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
For example, if a user interacts with a malicious website leveraging an open redirect on a legitimate, trusted domain, the file selector dialog during upload or download may display the trusted website as the source instead of the actual malicious site.
This misrepresentation could trick users into believing the action is safe, potentially exposing them to phishing attacks or unknowingly downloading harmful files.
Affected Versions
The vulnerability affects Brave Desktop Browser versions between 1.70.117 and before 1.74.48. Specifically:
- Affected: Versions from 1.70.117 to 1.73.x.
- Unaffected: Versions prior to 1.70.117 or starting from 1.74.48.
Brave has already released an update (version 1.74.48 and newer) to address this issue, ensuring that the origin inference for file selectors functions correctly.
Brave Software acted swiftly upon identifying the vulnerability. The company has advised users to immediately update their browsers to the latest version (1.74.48 or newer) to mitigate the risk.
Users can verify their version by navigating to the browser’s settings menu under “About Brave.”
- Update Your Browser: If you are using Brave Desktop Browser, ensure your software is upgraded to version 1.74.48 or newer.
- Exercise Caution: Be wary of unexpected download prompts, even from sites that appear trusted.
- Report Suspicious Activity: If you encounter questionable behavior, report it to Brave’s security team or trusted cybersecurity professionals.
As the cybersecurity landscape continues to evolve, users are reminded to stay vigilant and maintain up-to-date software to protect against emerging threats.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
