CVE-2025-4613 PUBLISHED

Client side RCE in Google Web Designer App

Assigner: Google
Reserved: 12.05.2025 Published: 12.06.2025 Updated: 14.06.2025

Path traversal in Google Web Designer's template handling versions prior to 16.3.0.0407 on Windows allows attacker to achieve remote code execution by tricking users into downloading a malicious ad template

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:L/VI:H/VA:L/SC:L/SI:H/SA:L/S:N/AU:N/R:U/V:D/RE:L
CVSS Score: 7.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	Low
Attack Complexity	High	Integrity	High	Integrity	High
Attack Requirements	Present	Availability	Low	Availability	Low
Privileges Required	Low
User Interaction	Active

CVSS 4.0

Product Status

Vendor	Google
Product	Web Designer App
Versions	Default: unaffected affected from 0 to 16.3.0.0407 (excl.)

Credits

Bálint Magyar finder

References

https://balintmagyar.com/articles/google-web-designer-path-traversal-client-side-rce-cve-2025-4613

Problem Types

CWE-20 Improper Input Validation CWE

Impacts

CAPEC-175 Code Inclusion