Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security

CISA: Recently fixed Chrome vulnerability exploited in the wild (CVE-2025-4664)

A high-severity Chrome vulnerability (CVE-2025-4664) that Google has fixed on Wednesday is being leveraged by attackers, CISA has confirmed by adding the flaw to its Known Exploited Vulnerabilities catalog.

Chrome CVE-2025-4664

About CVE-2025-4664

CVE-2025-4664 stems from insufficient policy enforcement in Google Chrome’s Loader, which attackers can use to make the browser leak cross-origin data that can be used to take over accounts.

The vulnerability can be triggered with a maliciously crafted HTML page, on Chrome versions prior to v136.0.7103.113/.114 on Windows, macOS and Linux.

“Google is aware that knowledge of CVE-2025-4664 exists in the wild,” the company said when it pushed out the update, and referred to an X (formerly Twitter) post by security researcher Vsevolod Kokorin, aka “slonser_”, as the source.

The language used by Google made it impossible to know for sure whether the issue – whose existence has been public since May 5, 2025 – has been leveraged by attackers. CISA adding it to the KEV catalog, though, confirms that it has.

“The issue is that [Chrome’s] Link header can set a referrer-policy. We can specify unsafe-url and capture the full query parameters. Query parameters can contain sensitive data – for example, in OAuth flows, this might lead to an Account Takeover,” Kokorin noted.

“Developers rarely consider the possibility of stealing query parameters via an image from a 3rd-party resource – which makes this trick surprisingly useful sometimes.”

Of course, Chrome users would have to open the maliciously crafted HTML page for the attack to work, but that step is not hard to achieve.

Update your browser(s)

CVE-2025-4664 being added to the KEV catalog means that civilian US federal government agencies must mitigate the vulnerability by the specified date: July 5, 2025.

But other organizations, including those in the private sector, should also make sure Chrome is updated on their systems.

If you’re using Chrome and have chosen to update your browser manually, now is the time to do it. To apply the latest update, simply close all open Chrome windows, then reopen the browser.

If you have automatic updates enabled, no action is needed, as Chrome will update itself in the background.

CVE-2025-4664 has also been fixed in Microsoft Edge, and other Chromium-based browsers like Opera and Brave are expected to implement the fix soon.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

More about

Featured news

Resources

Don't miss