On May 14, 2025, Google released an urgent security update for its Chrome web browser, addressing four vulnerabilities, including a high-severity flaw actively exploited in the wild. This particular vulnerability, identified as CVE-2025-4664 with a CVSS score of 4.3, stems from insufficient policy enforcement within Chrome’s Loader component.
The flaw allows remote attackers to leak cross-origin data by crafting malicious HTML pages. Security researcher Vsevolod Kokorin (@slonser_) brought this issue to light on May 5, 2025, highlighting that Chrome’s unique handling of the Link header on sub-resource requests enables the setting of a referrer-policy. By specifying an ‘unsafe-url’ referrer policy, attackers can capture full query parameters, potentially exposing sensitive information.
Kokorin emphasized that these query parameters might contain critical data, leading to full account takeovers. He demonstrated that this information could be exfiltrated via an image from a third-party resource, showcasing the exploit’s practicality.
While it’s unclear if this vulnerability has been exploited beyond proof-of-concept demonstrations, its active exploitation status underscores the urgency for users to update their browsers. Google has released patches for Chrome versions 136.0.7103.113/.114 on Windows and Mac, and 136.0.7103.113 on Linux. Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the necessary updates as they become available.
This incident marks the second actively exploited Chrome vulnerability in 2025, following CVE-2025-2783. It highlights the critical importance of timely software updates and vigilant security practices to protect against emerging threats.
