Google released updates on Wednesday to fix four security vulnerabilities in its Chrome web browser, including one that has an active exploit circulating online.
The most critical issue, identified as CVE-2025-4664 (CVSS score: 4.3), stems from inadequate policy enforcement in a component known as Loader.
According to the official description, “Insufficient policy enforcement in Loader in Google Chrome prior to version 136.0.7103.113 allowed a remote attacker to leak cross-origin data through a crafted HTML page.”
Google credited security researcher Vsevolod Kokorin (@slonser_) for reporting the issue on X on May 5, 2025. The company confirmed it is aware that an exploit for CVE-2025-4664 is already in circulation.
In a series of posts, Kokorin explained that unlike other browsers, Chrome processes the Link header on sub-resource requests. He noted that this header can set a referrer-policy. By specifying unsafe-url, attackers can capture full query parameters.
Kokorin also pointed out that query parameters may include sensitive data, potentially allowing attackers to hijack accounts. He added that this information can be exfiltrated using an image from a third-party resource.
It remains unclear whether the vulnerability has been used maliciously outside of Kokorin’s proof-of-concept demonstration. CVE-2025-4664 is the second flaw, after CVE-2025-2783, to be actively exploited.
To stay protected, users should update their Chrome browsers to version 136.0.7103.113 or 136.0.7103.114 for Windows and Mac, and version 136.0.7103.113 for Linux. Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi should also apply updates as soon as they are available.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
