Latest Cyber Security News

You are here: Home / General Cyber Security News / New Chrome Vulnerability Enables Cross-Origin Data Leak via Loader Referrer Policy
May 15, 2025

Google on Wednesday released updates to address four security issues in its Chrome web browser, including one for which it said there exists an exploit in the wild.

The high-severity vulnerability, tracked as CVE-2025-4664 (CVSS score: 4.3), has been characterized as a case of insufficient policy enforcement in a component called Loader.

“Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page,” according to a description of the flaw.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The tech giant credited security researcher Vsevolod Kokorin (@slonser_) with detailing the flaw in X on May 5, 2025, adding it’s aware “an exploit for CVE-2025-4664 exists in the wild.”

Cybersecurity

“Unlike other browsers, Chrome resolves the Link header on sub-resource requests,” Kokorin said in a series of posts on X earlier this month. “The issue is that the Link header can set a referrer-policy. We can specify unsafe-url and capture the full query parameters.”

The researcher went on to add that query parameters can contain sensitive data that can lead to a full account takeover and that the query parameter information can be stolen via an image from a third-party resource.

It’s not clear if the vulnerability was exploited in a malicious context outside of this proof-of-concept (PoC) demonstration. CVE-2025-4664 is the second vulnerability after CVE-2025-2783 to have come under “active exploitation” in the wild.

To safeguard against potential threats, it’s advised to update their Chrome browser to versions 136.0.7103.113/.114 for Windows and Mac, and 136.0.7103.113 for Linux. Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *