Google has released an urgent security update for Chrome to patch a newly discovered zero-day vulnerability, tracked as CVE-2025-4664, that is currently being exploited by attackers in the wild. This high-severity flaw affects how Chrome handles cross-origin requests and could allow attackers to leak sensitive information from users simply by luring them to a malicious web page.
What Is CVE-2025-4664?
The vulnerability was discovered in Chrome’s Loader component, specifically tied to insufficient policy enforcement when handling cross-origin data. Attackers can exploit this flaw using crafted HTML pages that take advantage of Chrome’s unique behavior when resolving the Link HTTP header on sub-resource requests.
This allows malicious websites to force the browser to send full URL referrer data—including query parameters—to a third-party server, potentially exposing sensitive information such as:
- Authentication tokens
- Session IDs
- Email addresses or usernames
- Other personal or application-specific data
Technical Details
According to security researcher Vsevolod Kokorin (Twitter/X: @slonser_), Chrome behaves differently than other browsers when it processes the Link header and applies a referrer-policy. By specifying a policy like unsafe-url, an attacker can ensure that Chrome sends the entire URL, including query strings, when loading sub-resources. Thereby bypassing cross-origin protections.
This behavior makes Chrome uniquely vulnerable to this type of exploit. Although the actual implementation may seem niche, the impact is significant, particularly for users accessing sensitive platforms or APIs.
Who Is Affected?
The vulnerability impacts the following Chrome versions:
- Linux: Versions prior to 136.0.7103.113
- Windows/macOS: Versions prior to 136.0.7103.113/.114
Since Chrome is widely used across platforms, the number of potentially affected users is in the millions.
What Should You Do?
Update your browser immediately. Google has already rolled out a patch in the latest version of Chrome. To update:
- Open Chrome
- Click the three dots in the top-right corner
- Navigate to Help > About Google Chrome
- Chrome will automatically check for updates and prompt a restart
If you use a Chromium-based browser like Microsoft Edge, Brave, Opera, or Vivaldi, make sure to apply the latest available updates as soon as they’re released.
Why This Matters
Zero-day vulnerabilities are particularly dangerous because they are exploited before a fix is available. Attackers often use these flaws in targeted phishing campaigns, watering hole attacks, or malware distribution schemes.
This case underscores the increasing complexity of modern web browsers and how even seemingly minor implementation quirks, like how a referrer-policy is applied, can have outsized security implications.
Final Thoughts
CVE-2025-4664 is a reminder that browser security is not just about avoiding sketchy websites. It’s about staying updated, using the latest versions, and understanding how rapidly attackers can exploit even small oversights.
If you manage web applications, consider reviewing your own site’s referrer-policy headers and minimizing the use of sensitive query strings in URLs. For users, keeping your software up to date is still the simplest and most effective defense.
