Everybody knows browser extensions are embedded into nearly every user’s daily workflow, from spell checkers to GenAI tools. What most IT and security people don’t know is that browser extensions’ excessive permissions are a growing risk to organizations.
LayerX today announced the release of the Enterprise Browser Extension Security Report 2025, This report is the first and only report to merge public extension marketplace statistics with real-world enterprise usage telemetry. By doing so, it sheds light on one of the most underestimated threat surfaces in modern cybersecurity: browser extensions.
The report reveals several findings that IT and security leaders will find interesting, as they build their plans for H2 2025. This includes information and analysis on how many extensions have risky permissions, which kinds of permissions are given, if extension developers are to be trusted, and more. Below, we bring key statistics from the report.
1. Browser extensions are ubiquitous in enterprise environments. 99%, nearly all, of employees, have browser extensions installed. 52% have more than 10 extensions installed.
Security analysis: Nearly all employees are exposed to browser extension risk.
2. Most extensions can access critical data. 53% of enterprise users’ extensions can access sensitive data like cookies, passwords, web page contents, browsing information, and more.
Security analysis: An employee-level compromise could jeopardize the entire organization.
3. Who publishes these extensions? Who knows? More than half (54%) of extension publishers are unknown and only identified via Gmail. 79% of publishers only published one extension.
Security analysis: Tracking the reputability of extensions is difficult, if possible at all with IT resources.
4. GenAI extensions are a growing threat. Over 20% of users have at least one GenAI extension, and 58% of these have high-risk permission scopes.
Security analysis: Enterprises should define clear policies for GenAI extension use and data sharing.
5. Unmaintained and unknown browser extensions are a growing concern. 51% of extensions haven’t been updated in over a year, and 26% of enterprise extensions are sideloaded, bypassing even basic store vetting.
Security analysis: Extensions can be vulnerable even if they’re not purposefully malicious.
The report not only brings data, it also provides actionable guidance for security and IT teams, recommending how to deal with the browser extension threat.
Here’s what LayerX advises organizations:
Browser extensions are not just a productivity tool, they’re an attack vector most organizations do not know exists. LayerX’s 2025 report provides comprehensive findings and data-driven analysis to help CISOs and security teams rein in this risk and build defensible browser environments.
Download the full report.
