Tuesday, 02 January 2024 12:17 GMT

Critical CSS Injection Bug Enables Full System Takeover In Google Web Designer


(MENAFN- The Arabian Post)

A client‐side remote code execution flaw in Google Web Designer for Windows poses a severe threat, allowing attackers to inject malicious CSS into configuration files to subvert internal APIs and seize full control of affected systems. The bug impacts every build prior to version 16.4.0.0711, and a fix has already been deployed in that release.

Security researcher Bálint Magyar publicly disclosed the vulnerability, tracked as CVE‐2025‐4613, by demonstrating how an attacker could embed crafted CSS rules within a configuration file. These rules can then be leveraged to manipulate internal application APIs, resulting in arbitrary code execution on Windows clients using Google Web Designer versions predating 16.4.0.0711.

This exploit was rewarded with a $3,500 bounty through Google's Vulnerability Reward Program, indicating both its severity and the company's interest in swiftly mitigating the risk.

The identification of CVE‐2025‐4613 follows an earlier disclosure by Magyar on 22 May 2025, describing another CSS‐injection‐based RCE in Web Designer, also on Windows platforms, that similarly exploited the program's configuration mechanisms to attain full system compromise. These successive disclosures suggest a broader class of vulnerabilities within the application's handling of external styling inputs and internal APIs, emphasising an urgent need for thorough code review and robust input sanitisation.

Google Web Designer, a widely used visual design tool for creating interactive HTML5 content, is central to many web development workflows. A security flaw of this magnitude, enabling takeover of client machines, represents both a high technical and operational risk, especially in enterprise environments. Despite the patch being released in version 16.4.0.0711, organisations must ensure that all instances are updated immediately to avert potential exploitation.

See also Malicious Shortcut Files Linked with Deceptive PDFs in Global Espionage Campaign

This developing story highlights broader concerns over client-side exploitation, especially vulnerabilities that hinge on component trust-such as configuration files-that can be silently manipulated. As exploration of similar bugs continues, security teams are advised to audit system integrity, reinforce validation protocols, and monitor for anomalous modifications in trusted files or API responses.

Notice an issue? Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com . We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.

MENAFN02092025000152002308ID1110007567

Legal Disclaimer:
MENAFN provides the information “as is” without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the provider above.

Search