VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 31, 2009· Updated Apr 23, 2026

CVE-2009-3011

CVE-2009-3011

Description

Google Chrome 1.0.154.48 and earlier, 2.0.172.28, 2.0.172.37, and 3.0.193.2 Beta does not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. NOTE: the JavaScript executes outside of the context of the HTTP site.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Google Chrome fails to block data: URIs in Refresh headers, allowing cross-site scripting (XSS) attacks via crafted HTTP responses.

Vulnerability

Google Chrome versions 1.0.154.48 and earlier, 2.0.172.28, 2.0.172.37, and 3.0.193.2 Beta do not properly block data: URIs in Refresh headers of HTTP responses. This allows an attacker to inject a Refresh header containing a data:text/html URI with embedded JavaScript sequences, bypassing the intended security boundary [1][2].

Exploitation

An attacker can exploit this by crafting an HTTP response that includes a Refresh header pointing to a data:text/html URI containing JavaScript code. This can be achieved via a server-side redirector or by controlling the content of a Refresh header. The attacker does not require authentication; they only need to induce the victim to visit a malicious or compromised site that returns such a response [1][2].

Impact

Successful exploitation results in cross-site scripting (XSS) where the JavaScript executes outside the context of the original HTTP site. This can lead to cookie theft, session hijacking, or other malicious actions within the browser's security context of the data: URI [1][2].

Mitigation

No fix is disclosed in the available references for the affected Chrome versions. Users should consider upgrading to a later version of Google Chrome that addresses this vulnerability. As of the publication date, no workaround is provided [1][2].

References
  1. Cross-Site Scripting attacks via redirectors - Websecurity
  2. Cross-Site Scripting уразливості в Mozilla, Firefox та Chrome - Websecurity

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

21
  • Google/Chrome21 versions
    cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*+ 20 more
    • cpe:2.3:a:google:chrome:*:*:*:*:*:*:*:*range: <=1.0.154.48
    • cpe:2.3:a:google:chrome:0.2.149.27:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:0.2.149.29:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:0.2.149.30:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:0.2.152.1:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:0.2.153.1:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:0.3.154.0:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:0.3.154.3:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:0.4.154.18:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:0.4.154.22:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:0.4.154.31:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:0.4.154.33:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:1.0.154.36:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:1.0.154.39:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:1.0.154.42:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:1.0.154.43:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:1.0.154.46:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:2.0.172.28:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:2.0.172.37:*:*:*:*:*:*:*
    • cpe:2.3:a:google:chrome:3.0.193.2:beta:*:*:*:*:*:*
    • (no CPE)range: <=1.0.154.48, 2.0.172.28, 2.0.172.37, 3.0.193.2 Beta

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.