Google on Wednesday released updates to address four security issues in its Chrome web browser, including one for which it said there exists an exploit in the wild.
The high-severity vulnerability, tracked as CVE-2025-4664 (CVSS score: 4.3), has been characterized as a case of insufficient policy enforcement in a component called Loader.
“Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page,” according to a description of the flaw.
The tech giant credited security researcher Vsevolod Kokorin (@slonser_) with detailing the flaw in X on May 5, 2025, adding it’s aware “an exploit for CVE-2025-4664 exists in the wild.”
“Unlike other browsers, Chrome resolves the Link header on sub-resource requests,” Kokorin said in a series of posts on X earlier this month. “The issue is that the Link header can set a referrer-policy. We can specify unsafe-url and capture the full query parameters.”
The researcher went on to add that query parameters can contain sensitive data that can lead to a full account takeover and that the query parameter information can be stolen via an image from a third-party resource.
It’s not clear if the vulnerability was exploited in a malicious context outside of this proof-of-concept (PoC) demonstration. CVE-2025-4664 is the second vulnerability after CVE-2025-2783 to have come under “active exploitation” in the wild.
To safeguard against potential threats, it’s advised to update their Chrome browser to versions 136.0.7103.113/.114 for Windows and Mac, and 136.0.7103.113 for Linux. Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.
