PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5011 Google CVE debrief

CVE-2017-5011 is a medium-severity Google Chrome issue involving insufficiently sanitized DevTools URLs. According to the CVE description, a remote attacker could abuse this weakness after convincing a user to install a malicious extension, then use a crafted HTML page to read filesystem contents. The CVSS vector reflects network attackability but also required user interaction, which limits practical exposure compared with fully unauthenticated browser flaws.

Vendor
Google
Product
CVE-2017-5011
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-17
Original CVE updated
2026-05-13
Advisory published
2017-02-17
Advisory updated
2026-05-13

Who should care

Organizations that manage Google Chrome on Windows, especially environments where users can install browser extensions or routinely browse untrusted web content. Security teams should also pay attention to downstream Linux and enterprise package advisories that track Chrome security fixes.

Technical summary

The supplied CVE description says Chrome prior to 56.0.2924.76 for Windows insufficiently sanitized DevTools URLs, enabling filesystem-content disclosure through a crafted HTML page after a malicious extension was installed. NVD classifies the issue as CWE-200 and lists CVSS 3.0 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating a confidentiality impact with user interaction required. The NVD CPE criteria in the provided corpus also mark affected Chrome versions through 55.0.2883.87, while the CVE description names the fix as 56.0.2924.76; both should be treated as source-provided version context.

Defensive priority

Medium. The issue can expose sensitive local data, but exploitation depends on user action and a malicious extension being installed first. Patch prioritization should be elevated for fleets that allow extension installation or have broad access to sensitive local files.

Recommended defensive actions

  • Upgrade Google Chrome to a fixed release at or above the version named in the CVE description and vendor advisories.
  • Restrict browser extension installation to approved sources and approved users where possible.
  • Review extension governance policies and remove unapproved or unnecessary extensions.
  • Monitor endpoints for outdated Chrome versions that fall within the affected range listed by NVD.
  • Treat user reports of unexpected browser extension prompts or DevTools-related behavior as security events.
  • Use the linked vendor and distribution advisories to confirm remediation status across managed platforms.

Evidence notes

All statements above are derived from the supplied CVE/NVD corpus and the listed official or vendor-linked references. The corpus shows a source-provided description of insufficiently sanitized DevTools URLs, malicious-extension precondition, and filesystem-content disclosure. It also provides the CVSS vector, CWE-200 mapping, affected-version criteria, and multiple reference URLs. One source-detail inconsistency is present in the supplied data: the CVE description cites a fix in Chrome 56.0.2924.76 for Windows, while the NVD CPE criteria in the corpus list affected versions through 55.0.2883.87. No fetched page text was used.

Official resources

Publicly disclosed on 2017-02-17. The supplied corpus does not indicate KEV inclusion.