Medium severityOSV Advisory· Published May 30, 2025· Updated Apr 15, 2026

CVE-2025-48883

Description

Chrome PHP allows users to start playing with chrome/chromium in headless mode from PHP. Prior to version 1.14.0, CSS Selector expressions are not properly encoded, which can lead to XSS (cross-site scripting) vulnerabilities. This is patched in v1.14.0. As a workaround, users can apply encoding manually to their selectors if they are unable to upgrade.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
chrome-php/chromePackagist	< 1.14.0	1.14.0

Affected products

Chrome Php/ChromeOSV
Range: v0.1.0, v0.1.1, v0.1.2, …

Patches

9dce1e484a67

https://github.com/chrome-php/chromevia osv

34b2b8d1691f

[1.14] Security fix for missing encoding in `CssSelector` (#691)

https://github.com/chrome-php/chromedivinity76May 28, 2025via ghsa

commit PR #691

3 files changed · +27 −7

src/Dom/Selector/CssSelector.php+16 −4 modified

@@ -10,20 +10,32 @@
 final class CssSelector implements Selector
 {
     /** @var string */
-    private $expression;
+    private $expressionEncoded;
 
     public function __construct(string $expression)
     {
-        $this->expression = $expression;
+        $this->expressionEncoded = \json_encode(
+            $expression,
+            \JSON_UNESCAPED_SLASHES
+                | \JSON_UNESCAPED_UNICODE
+                | \JSON_THROW_ON_ERROR
+        );
     }
 
     public function expressionCount(): string
     {
-        return \sprintf('document.querySelectorAll("%s").length', $this->expression);
+        return \sprintf(
+            'document.querySelectorAll(%s).length',
+            $this->expressionEncoded
+        );
     }
 
     public function expressionFindOne(int $position): string
     {
-        return \sprintf('document.querySelectorAll("%s")[%d]', $this->expression, $position - 1);
+        return \sprintf(
+            'document.querySelectorAll(%s)[%d]',
+            $this->expressionEncoded,
+            $position - 1
+        );
     }
 }

tests/PageTest.php+4 −2 modified

@@ -21,7 +21,7 @@
  */
 class PageTest extends BaseTestCase
 {
-    private const WAIT_FOR_ELEMENT_HTML = '<div data-name="el">content</div>';
+    private const WAIT_FOR_ELEMENT_HTML = '<div data-name="el">content1</div><div data-name="&quot;el&quot;">content2</div>';
     private const WAIT_FOR_ELEMENT_RESOURCE_FILE = 'elementLoad.html';
 
     public function testSetViewport(): void
@@ -441,7 +441,9 @@ public function testWaitUntilContainsElement(): void
 
         self::assertStringNotContainsString(self::WAIT_FOR_ELEMENT_HTML, $page->getHtml());
 
-        $page->waitUntilContainsElement('div[data-name=\"el\"]');
+        $page->waitUntilContainsElement('div[data-name="el"]'); // search for <div data-name="el">
+        $page->waitUntilContainsElement('div[data-name=el]'); // search for <div data-name="el">
+        $page->waitUntilContainsElement('div[data-name=\"el\"]'); // search for <div data-name="&quot;el&quot;'>
 
         self::assertStringContainsString(self::WAIT_FOR_ELEMENT_HTML, $page->getHtml());
     }

tests/resources/static-web/elementLoad.html+7 −1 modified

@@ -11,9 +11,15 @@ <h1>page a</h1>
       let el = document.createElement('div');
 
       el.dataset.name = 'el';
-      el.innerHTML = 'content';
+      el.innerHTML = 'content1';
 
       document.body.appendChild(el)
+
+      let el2 = document.createElement('div');
+
+      el2.dataset.name = '"el"';
+      el2.innerHTML = 'content2';
+      document.body.appendChild(el2)
     }, 500)
 </script>
 </html>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000