Web browser: Gap in Brave allows fake display of download source

The Brave web browser is very popular due to its integrated ad blocking function. A security vulnerability has now been discovered that could allow attackers to falsely display the source of a download. A Brave update plugs the security leak.

The user with the handle syarif07 reported the security-relevant error on the bug bounty platform Hackerone. Attackers can display a different URL instead of the actual download source in the operating system's “Save file” dialog. According to syarif07, this is due to the fact that Brave evaluates the referrer header for the display, which can be falsified, and thus a trustworthy source can be faked. This allows attackers to disguise malware downloads, for example.

Gap poses a high risk

Initially, the reporter had suggested “critical” as the severity of the vulnerability, but the Brave developers downgraded it to “high” – critical vulnerabilities would have required a hotfix, which allowed them more time to correct the program. A CVE number has now also been assigned and published this morning(CVE-2025-23086, no CVSS value, risk “high”).

The CVE entry explains the vulnerability as follows: On most desktop platforms, Brave Browser 1.70 to 1.73 uses a feature to display the source page in the file selection dialog provided by the operating system when a page displays a file upload or download dialog to users. The source was not correctly inferred in some cases, which together with an open referrer vulnerability on a trusted website could be abused by a malicious website to display a download as coming from the trusted site.

Brave closes the vulnerability with version 1.74.48, which was released in the middle of last week. It can be downloaded from the Brave download page. Anyone using Brave should check whether the bug-fixed version or even a newer version is already active and update if necessary.

Read also

Brave Browser - was kann er?

(dmk)