A critical vulnerability identified as CVE-2025-4664 has emerged in Google Chrome, necessitating immediate updates for users to safeguard their personal information and accounts. This flaw affects all Chrome versions prior to 136.0.7103.113, allowing malicious actors to exploit the system actively. The existence of an exploit in the wild poses a considerable burden for users and security experts alike, as sensitive data could be compromised through deceptive means.
Research conducted by Vsevolod Kokorin revealed that the vulnerability resides within Chrome’s Loader component. It particularly allows for data leaks via specially designed HTML pages, heightening concerns regarding user security. The vulnerability arises from a flaw in how Chrome resolves the Link header on subresource requests, which inadvertently permits attackers to set a referrer-policy that captures query parameters. This exploitation method can provide unauthorized access to sensitive information such as OAuth tokens, which are crucial for user authentication processes across various services.
Research has unveiled a serious flaw in Chrome’s Loader component, enabling data leaks through crafted HTML pages.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has responded decisively by adding CVE-2025-4664 to its Known Exploited Vulnerabilities catalog. Federal agencies, in particular, are mandated to implement the available fixes by June 5, 2025, underscoring the urgency for swift action. In spite of this timeline, the vulnerability affects Chrome users globally, rendering both businesses and individual users at risk. Additionally, exploits for this flaw are actively being used in the wild, highlighting its serious nature.
If unaddressed, the ramifications could include complete account takeovers and privilege escalations, as stated by cybersecurity experts who highlight the potential for severe security breaches.
Given the alarming nature of this vulnerability, users are strongly urged to update their browsers to the latest versions provided by Google immediately. This prompt action is vital to prevent unauthorized access to accounts and maintain the integrity of sensitive data.
Failure to do so could result in significant, and possibly irreversible, consequences for affected individuals and organizations alike.
