CVE-2025-7021 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

OpenAI Operator users are vulnerable to a UI redressing attack where malicious sites trigger browser fullscreen mode to overlay fake browser chrome and phishing forms, capturing credentials. No confirmed patch exists; brief users that legitimate Operator sessions will never request credentials via fullscreen overlays. Restrict Operator to allowlisted domains until OpenAI issues a fix.

Risk Assessment

Medium severity (CVSS 6.5) with high confidentiality impact. Low attack complexity and no privileges required makes this accessible to unsophisticated attackers. Risk is amplified in AI agent contexts: users delegating browsing to Operator are less attentive to UI anomalies, and the trust boundary between real browser chrome and Operator-rendered content is already blurred. Any organization using Operator for employee workflows is exposed.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
operator	pip	—	No patch
30.7K OpenSSF 5.6 13.6K dependents Pushed 7d ago 0% patched Full package profile →

Do you use operator? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 41% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I None

A None

Recommended Action

6 steps

Restrict Operator usage to an approved allowlist of vetted domains via policy.
Brief all Operator users: no legitimate session requests credentials through a fullscreen overlay — treat any such prompt as an attack.
Where possible, apply browser-level CSP or enterprise policy to restrict Fullscreen API on unrecognized domains.
Deploy browser extensions that visually alert on fullscreen transitions.
Review Operator session logs for navigation to unknown or newly registered domains.
Subscribe to OpenAI security advisories and apply patches immediately when available.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Social Engineering Privacy Violation Agent API AML.T0011 - User Execution AML.T0048.003 - User Harm AML.T0051.001 - Indirect AML.T0073 - Impersonation AML.T0078 - Drive-by Compromise AML.T0100 - AI Agent Clickbait

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 13 - Transparency and provision of information to users

ISO 42001

8.4 - AI system transparency and information for users

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain value and integrity of deployed AI systems

OWASP LLM Top 10

LLM08 - Excessive Agency LLM09 - Overreliance

Frequently Asked Questions

What is CVE-2025-7021?

OpenAI Operator users are vulnerable to a UI redressing attack where malicious sites trigger browser fullscreen mode to overlay fake browser chrome and phishing forms, capturing credentials. No confirmed patch exists; brief users that legitimate Operator sessions will never request credentials via fullscreen overlays. Restrict Operator to allowlisted domains until OpenAI issues a fix.

Is CVE-2025-7021 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-7021, increasing the risk of exploitation.

How to fix CVE-2025-7021?

1. Restrict Operator usage to an approved allowlist of vetted domains via policy. 2. Brief all Operator users: no legitimate session requests credentials through a fullscreen overlay — treat any such prompt as an attack. 3. Where possible, apply browser-level CSP or enterprise policy to restrict Fullscreen API on unrecognized domains. 4. Deploy browser extensions that visually alert on fullscreen transitions. 5. Review Operator session logs for navigation to unknown or newly registered domains. 6. Subscribe to OpenAI security advisories and apply patches immediately when available.

What systems are affected by CVE-2025-7021?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, web-based AI interfaces, LLM-powered browser automation.

What is the CVSS score for CVE-2025-7021?

CVE-2025-7021 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.19%.

Technical Details

NVD Description

Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying a deceptive fullscreen interface with overlaid fake browser controls and a distracting element (like a cookie consent screen) to obscure fullscreen notifications, tricking the user into interacting with the malicious site.

Exploitation Scenario

Attacker registers a domain mimicking a legitimate SaaS tool (e.g., fake SSO or corporate portal). Via SEO poisoning or indirect prompt injection embedded in a document Operator is tasked with browsing, the agent navigates to the malicious page. The page calls requestFullscreen(), rendering a pixel-perfect fake browser window. A fake cookie consent banner is overlaid to obscure the browser's built-in fullscreen notification bar. The user, already trusting the Operator session, enters login credentials or PII into the fake form. Credentials are exfiltrated server-side with no malware required.