Google awarded researcher Micky a $250,000 bug bounty for reporting CVE-2025-4609, a Chrome sandbox-escape issue in the ipcz Mojo IPC layer. The Chromium issue entry shows the reward amount and classifies the flaw as a fixed security vulnerability, while Google’s Chrome 136 stable release notes confirm that the fix shipped to users. Organizations and individuals running Chrome builds prior to version 136 should update immediately.
Understanding CVE-2025-4609: A Complex Logic Bug
The vulnerability, designated as CVE-2025-4609, was reported in April 2025 and affects the ipcz Mojo library, a component responsible for inter-process communication inside Chrome. The Chromium tracker describes it as an ipcz bug that can allow a renderer to duplicate a browser process handle and escape the sandbox, which is why this class of flaw receives special attention in browser security programs.
The issue matters because Chrome’s sandbox is a key containment layer between untrusted web content and the underlying operating system. A working sandbox escape turns a browser bug into a much more serious compromise path, especially if it can be chained with another vulnerability or delivered through a malicious website.
Technical Analysis: How the Exploit Works
Publicly available technical details remain limited, which is normal for actively patched browser vulnerabilities. What Google and Chromium have disclosed is sufficient to show the core risk: a compromised renderer process could abuse logic in the ipcz transport path to obtain a privileged browser-process handle and break out of the sandbox boundary.
For defenders, that distinction is important. The browser sandbox exists specifically to stop hostile pages from turning renderer compromise into full code execution on the host. Once that barrier fails, the exposure shifts from a browser-only issue to a broader endpoint risk.
From an attack-vector perspective, exploitation would typically require the victim to visit attacker-controlled content in a vulnerable Chrome build. That still makes timely patching essential for end users, enterprise fleets, and any environment where browsers are exposed to untrusted websites every day.
Rapid Response and Patch Deployment
Google addressed the flaw in the Chrome 136 release train. The stable desktop release announcement for Chrome 136 was published on April 29, 2025, and subsequent Chromium-based browsers inheriting the same codebase also needed to pick up the fix through their own release cycles.
Maximum Bounty Criteria and Requirements
The Chromium security issue records a VRP reward of $250,000, underlining how seriously Google treats browser sandbox escapes. These bugs are expensive for vendors because they undermine one of the browser’s most important security boundaries.
Why Sandbox-Escape Bugs Matter to Defenders
Browser security today depends on layered defenses: site isolation, hardened rendering processes, memory protections, and the sandbox itself. When a sandbox-escape bug is confirmed, patching priority should be high even if there is no public evidence of in-the-wild exploitation, because the flaw can dramatically raise the impact of other browser bugs.
For enterprise defenders, this is also a reminder to track Chromium-derived browsers separately. A fix landing in Chrome does not automatically mean every downstream browser has already shipped its own patched build to end users.
CVE-2025-4609 should be treated as a priority browser update issue. The practical action is straightforward: verify that Chrome and other Chromium-based browsers in your environment are on patched releases based on version 136 or newer, and do not assume that a renderer compromise remains safely contained if the sandbox layer itself is vulnerable.
