On Wednesday, Google released an update to address four security issues in the Chrome web browser.
High-strength vulnerabilities tracked as CVE-2025-4664 (CVSS score: 4.3) are characterized as inadequate policy enforcement in a component called loaders.
“Policy enforcement in Google Chrome loaders prior to 136.0.7103.113 allowed remote attackers to leak cross-origin data via created HTML pages,” according to the flaw description.
The Tech giant detailed the defects in X on May 5, 2025 to security researcher Vsevolod Kokorin (@slonser_), adding that “the CVE-2025-4664 exploit exists in the wild.”
“Unlike other browsers, Chrome resolves link headers for subresource requests,” Kokorin said in a series of posts about X earlier this month. “The problem is that the link header can set the referrer politics. You can specify an insecure URL and capture the full query parameters.”
The researchers added that the query parameters may contain sensitive data that could lead to a full acquisition of the account, allowing query parameter information to be stolen via images from third-party resources.
It is not clear whether the vulnerability was exploited in a malicious context other than this proof of concept (POC) demonstration. CVE-2025-4664 is the second vulnerability after CVE-2025-2783 undergoes “active exploitation” in the wild.
To protect against potential threats, we recommend updating your Chrome browser to version 136.0.7103.113/.114 for Windows and Mac and 136.0.7103.113 for Linux. It is also recommended that users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi also apply the fix when it becomes available.
Source link
