CVE-2020-6445 in Chrome
Summary
by MITRE
Insufficient policy enforcement in trusted types in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to bypass content security policy via a crafted HTML page.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/09/2025
The vulnerability identified as CVE-2020-6445 represents a critical weakness in Google Chrome's implementation of Trusted Types, a security feature designed to prevent cross-site scripting attacks by enforcing strict policies around how potentially dangerous content can be processed. This flaw existed in Chrome versions prior to 81.0.4044.92 and allowed remote attackers to circumvent Content Security Policy (CSP) protections through carefully crafted HTML pages. The issue stems from inadequate enforcement of trusted type policies, which should have prevented the execution of malicious code by ensuring that only trusted content could be used in sensitive operations.
The technical nature of this vulnerability involves the bypass of Chrome's Trusted Types implementation, which was intended to provide a secure way to handle potentially dangerous operations such as innerHTML assignments, DOM manipulation, and other security-sensitive actions. When Trusted Types is properly enforced, it requires that any content used in these operations must be explicitly marked as trusted through a defined policy. However, in this case, the enforcement mechanism was insufficient, allowing attackers to inject malicious content that would bypass the security checks. The vulnerability specifically affected the relationship between CSP directives and Trusted Types policies, where the latter failed to properly validate or enforce the former's restrictions.
The operational impact of this vulnerability is significant as it undermines fundamental web security mechanisms that protect users from various forms of cross-site scripting attacks. Attackers could exploit this weakness by crafting HTML pages that appear legitimate but contain malicious payloads designed to bypass CSP protections. This would enable them to inject scripts, manipulate DOM elements, and potentially execute arbitrary code in the context of the victim's browser session. The vulnerability essentially creates a pathway for attackers to circumvent the security boundaries that browsers establish to protect users from malicious web content, making it particularly dangerous in environments where users encounter untrusted web content.
The flaw aligns with CWE-693, which describes protection mechanism failures, and demonstrates how inadequate implementation of security controls can lead to complete bypass of intended protections. From an ATT&CK framework perspective, this vulnerability maps to techniques involving code injection and privilege escalation, as it allows attackers to execute malicious code in the browser context. The vulnerability also relates to T1211, which covers exploitation of known vulnerabilities, and T1557, which involves man-in-the-middle attacks through compromised web content. Organizations and users are strongly advised to update to Chrome version 81.0.4044.92 or later, where the Trusted Types enforcement has been properly implemented and the bypass vulnerability has been patched. Additionally, administrators should ensure that CSP policies are properly configured and regularly audited to maintain effective web security defenses. The incident underscores the importance of rigorous security testing for complex browser security features and highlights how subtle implementation flaws can have significant consequences for user safety and web security posture.