PatchSiren cyber security CVE debrief
CVE-2017-5022 Google CVE debrief
CVE-2017-5022 is a browser-side Content Security Policy bypass in Google Chrome’s Blink engine. A remote attacker could use a crafted HTML page to bypass unsafe-inline CSP enforcement in affected Chrome releases. The issue was assigned a medium CVSS score (4.3) and requires user interaction, so it is most relevant where CSP is relied on as a key web-app defense layer rather than as a standalone security boundary.
- Vendor
- Product
- CVE-2017-5022
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-17
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-17
- Advisory updated
- 2026-05-13
Who should care
Security teams running Google Chrome in managed environments, web application owners that depend on Content Security Policy to reduce script execution risk, and end users on affected Chrome versions prior to the fixed releases.
Technical summary
According to the NVD description, Blink in Google Chrome prior to 56.0.2924.76 for Linux, Windows, and Mac, and prior to 56.0.2924.87 for Android, did not properly enforce unsafe-inline Content Security Policy. The result was a CSP bypass reachable through a crafted HTML page. The NVD vector reflects network attack, low complexity, no privileges, and user interaction required, with integrity impact only.
Defensive priority
Medium. The flaw weakens a browser security control rather than directly enabling code execution, but it can meaningfully reduce the protection web applications expect from CSP.
Recommended defensive actions
- Upgrade Google Chrome to a fixed release: 56.0.2924.76 or later on Linux, Windows, and Mac; 56.0.2924.87 or later on Android.
- Review web applications that rely on Content Security Policy, especially configurations using unsafe-inline, and verify that CSP is not assumed to fully protect against browser-side policy enforcement bugs.
- Use defense-in-depth controls for web applications, including output encoding, server-side validation, and minimizing reliance on inline script allowances.
- If you operate enterprise browser management, confirm endpoint fleet compliance with the fixed Chrome versions and prioritize devices that routinely access sensitive web applications.
Evidence notes
This debrief is grounded in the supplied NVD record and its references. The NVD description states that Chrome’s Blink engine failed to properly enforce unsafe-inline CSP and that a crafted HTML page could bypass CSP. The provided version ranges identify affected Chrome releases. The NVD CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N, which supports a medium-severity, user-interaction-dependent browser exposure. No exploit details beyond the source description are included.
Official resources
Publicly disclosed on 2017-02-17. Use the supplied published date for timing context; the later modified date reflects record maintenance, not initial disclosure.