Google on Wednesday launched updates to handle 4 safety points in its Chrome net browser, together with one for which it mentioned there exists an exploit within the wild.
The high-severity vulnerability, tracked as CVE-2025-4664 (CVSS rating: 4.3), has been characterised as a case of inadequate coverage enforcement in a part known as Loader.
“Inadequate coverage enforcement in Loader in Google Chrome previous to 136.0.7103.113 allowed a distant attacker to leak cross-origin knowledge by way of a crafted HTML web page,” in keeping with a description of the flaw.
The tech big credited safety researcher Vsevolod Kokorin (@slonser_) with detailing the flaw in X on Might 5, 2025, including it is conscious “an exploit for CVE-2025-4664 exists within the wild.”
“Not like different browsers, Chrome resolves the Hyperlink header on sub-resource requests,” Kokorin mentioned in a collection of posts on X earlier this month. “The problem is that the Hyperlink header can set a referrer-policy. We will specify unsafe-url and seize the complete question parameters.”
The researcher went on so as to add that question parameters can include delicate knowledge that may result in a full account takeover and that the question parameter data might be stolen by way of a picture from a third-party useful resource.
It is not clear if the vulnerability was exploited in a malicious context exterior of this proof-of-concept (PoC) demonstration. CVE-2025-4664 is the second vulnerability after CVE-2025-2783 to have come beneath “lively exploitation” within the wild.
To safeguard towards potential threats, it is suggested to replace their Chrome browser to variations 136.0.7103.113/.114 for Home windows and Mac, and 136.0.7103.113 for Linux. Customers of different Chromium-based browsers similar to Microsoft Edge, Courageous, Opera, and Vivaldi are additionally suggested to use the fixes as and after they turn out to be obtainable.
