SameSite Cookie Bypass in Brave <1.83.10 Split View
CVE-2025-48980 Published on October 30, 2025
In Brave Browser Desktop versions prior to 1.83.10 that have the split view feature enabled, the "Open Link in Split View" context menu item did not respect the SameSite cookie attribute. Therefore SameSite=Strict cookies would be sent on a cross-site navigation using this method.
Weakness Type
Reliance on Cookies without Validation and Integrity Checking
The application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user. Attackers can easily modify cookies, within the browser or by implementing the client-side code outside of the browser. Reliance on cookies without detailed validation and integrity checking can allow attackers to bypass authentication, conduct injection attacks such as SQL injection and cross-site scripting, or otherwise modify inputs in unexpected ways.
Products Associated with CVE-2025-48980
Want to know whenever a new CVE is published for Brave Browser? stack.watch will email you.
Affected Versions
Brave Desktop Browser:- Version 1.83.10 and below 1.83.10 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.