PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-5225 Google CVE debrief

CVE-2016-5225 is a Google Chrome Blink bug that could let a remote attacker bypass Content Security Policy (CSP) by serving a crafted HTML page with malformed form actions. The record shows network-based attack conditions with user interaction required, and the documented impact is limited to integrity.

Vendor
Google
Product
CVE-2016-5225
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-19
Original CVE updated
2026-05-13
Advisory published
2017-01-19
Advisory updated
2026-05-13

Who should care

Security teams and administrators managing Google Chrome on desktop or Android should care, especially where CSP is used as a key browser-side defense for sensitive web applications. Web app owners who rely on CSP should also treat this as a reminder that CSP is defense-in-depth, not a standalone control.

Technical summary

According to the CVE description, Blink in Chrome handled form actions incorrectly, which allowed a remote attacker to bypass CSP via a crafted HTML page. The affected Chrome builds are described as versions before 55.0.2883.75 on Mac, Windows, and Linux, and before 55.0.2883.84 on Android. NVD classifies the issue with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N and CWE-19.

Defensive priority

Medium priority: apply the vendor-fixed Chrome release promptly, especially on managed fleets and on systems where CSP is relied upon for application isolation or policy enforcement.

Recommended defensive actions

  • Update Google Chrome to a fixed release at or above 55.0.2883.75 on Mac, Windows, and Linux, or 55.0.2883.84 on Android.
  • Verify installed Chrome versions across endpoints and mobile fleets, and prioritize systems that access sensitive web applications.
  • Use centralized update controls to force timely browser patching on managed devices.
  • Review security assumptions around Content Security Policy and keep complementary controls in place, since CSP bypasses can weaken policy-based defenses.
  • Track vendor and downstream advisories referenced in the record for deployment guidance and confirmation of remediated builds.

Evidence notes

This debrief is based on the supplied CVE description, NVD record metadata, and the referenced Google/Chromium and downstream advisories in the corpus. The CVE was published on 2017-01-19; the later modified date in NVD metadata is not treated as the vulnerability issue date. NVD lists a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N and CWE-19. The NVD reference set includes Google Chrome stable-channel release notes, a Chromium issue tracker entry, and downstream vendor advisories.

Official resources

Publicly disclosed in the CVE/NVD record on 2017-01-19, with vendor and downstream advisories in the corpus pointing to the corresponding Chrome stable-channel update in December 2016.