A notable vulnerability, identified as CVE-2025-4664, has emerged within Google Chrome, exposing users to potential data hijacking risks. This high-severity flaw, affecting versions prior to 136.0.7103.113/114, resides in Chrome’s Loader component, which handles resource requests. Attackers can exploit this vulnerability by crafting malicious HTML pages, thereby leaking cross-origin data and enabling unauthorized access to sensitive information.
The vulnerability stems from insufficient policy enforcement related to the treatment of the Link header on sub-resource requests. Although other browsers implement restrictions, Chrome’s unique handling can expose sensitive query parameters, such as OAuth tokens, to attackers. By manipulating the referrer-policy through the Link header, malicious actors can capture full URLs, which often contain vital authentication data, greatly increasing the risk of exploitation. Zero-day vulnerabilities often lead to significant financial losses when exploited before patches are available.
Insufficient enforcement of Link header policies in Chrome can inadvertently leak sensitive query parameters, heightening exploitation risks for attackers.
Reports indicate that this flaw can be remotely exploited without user interaction, requiring only that victims visit crafted webpages. The consequences of this vulnerability are severe. Exposure of OAuth tokens can facilitate complete account takeovers, undermining user credentials and session security. Additionally, the cross-origin data leakage jeopardizes the same-origin policy, increasing the likelihood of data breaches for institutions and enterprises alike. With millions of users relying on Chrome, the global impact of such exploitation remains worrying. No reported instances of exploitation in the wild highlight a glimmer of hope, but prompt action is still crucial to prevent potential threats. Immediate updates recommended for users to mitigate risks associated with this vulnerability.
Users on Windows, Linux, and macOS with unpatched Chrome browsers will remain vulnerable until they update to the recently released versions. Google issued emergency updates on May 15, 2025, with specific patches designed to address this pressing issue. Security researchers highlight the urgency of adopting these patches across all devices that utilize the Chrome platform.
Developers must recognize the potential for query parameter leakage through third-party resources. This vulnerability accentuates the importance of enforcing strict referrer-policy and safeguarding sensitive data transmission, thereby strengthening overall cybersecurity postures in both personal and enterprise environments.
