CVE-2025-4664
published 2025-05-14CVE-2025-4664: Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page…
PriorityP274medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.33%
91.6th percentile
Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chromium | chromium | >= 0 < 136.0.7103.113-1~deb12u1 | 136.0.7103.113-1~deb12u1 |
| chromium | chromium | >= 0 < 136.0.7103.113-1 | 136.0.7103.113-1 |
| chromium | chromium | >= 0 < 136.0.7103.113-1 | 136.0.7103.113-1 |
| debian | chromium | < chromium 136.0.7103.113-1~deb12u1 (bookworm) | chromium 136.0.7103.113-1~deb12u1 (bookworm) |
| chrome | < 136.0.7103.113 | 136.0.7103.113 | |
| chrome | >= 136.0.7103.113 < 136.0.7103.113 | 136.0.7103.113 | |
| chrome_chrome | — | — | |
| msrc | microsoft_edge | — | — |
| paloalto | prisma_browser | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Chrome's Loader component resolves Link headers on subresource requests; attackers can set referrer-policy to 'unsafe-url' via the Link header to capture full query parameters from cross-origin requests, enabling data leakage and account takeover (e.g., OAuth token theft). ↗
- →Detection focus: monitor for Link response headers on subresource requests containing 'referrer-policy=unsafe-url', which is the mechanism abused to exfiltrate query parameters cross-origin. ↗
- →Exploitation vector is a crafted HTML page delivered remotely; defenders should alert on Chrome versions prior to 136.0.7103.113 (and Edge prior to 136.0.3240.76) accessing untrusted HTML content, as those versions are vulnerable. ↗
- →CVE-2025-4664 is confirmed actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities catalog; prioritize detection of unpatched Chrome/Edge instances in the environment. ↗
- →Exploitation can lead to full account takeover via OAuth flow query parameter theft; monitor OAuth redirect URIs and authorization code parameters for unexpected referrer leakage to third-party image or subresource origins. ↗
- ·Google did not initially disclose whether the vulnerability was actively exploited at patch time, only noting a public exploit existed; active exploitation was confirmed by CISA one day after the patch release. ↗
- ·The Link header referrer-policy abuse vector is specific to Chrome's subresource loader behavior; other browsers do not resolve Link headers on subresource requests in the same way, limiting cross-browser applicability of this attack technique. ↗
- ·Developers are noted to rarely account for query parameter theft via third-party image subresources, meaning many applications may be silently vulnerable to data leakage even after browser patching if server-side mitigations are not applied. ↗
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
osv4.3MEDIUM
vulncheck4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_msrc4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vxhm-55mv-5fhx: Insufficient policy enforcement in Loader in Google Chrome prior to 136
ghsa_unreviewed·2025-05-14
CVE-2025-4664 [MEDIUM] GHSA-vxhm-55mv-5fhx: Insufficient policy enforcement in Loader in Google Chrome prior to 136
Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
OSV
CVE-2025-4664: Insufficient policy enforcement in Loader in Google Chrome prior to 136
osv·2025-05-14·CVSS 4.3
CVE-2025-4664 [MEDIUM] CVE-2025-4664: Insufficient policy enforcement in Loader in Google Chrome prior to 136
Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
VulnCheck
Google Chrome Loader Policy Enforcement Vulnerability
vulncheck·2025·CVSS 4.3
CVE-2025-4664 [MEDIUM] Google Chrome Loader Policy Enforcement Vulnerability
Google Chrome Loader Policy Enforcement Vulnerability
Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Affected: Google Chrome
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html; https://www.enisa.europa.eu/sites/default/files/2025-10/ENISA%20Threat%20Landscape%202025.pdf; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025
Exploit PoC: https://vulncheck.com/xdb/70f6cb2db4f9; https://vulncheck.com/
Palo Alto
PAN-SA-2025-0011 Chromium and Prisma Browser: Monthly Vulnerability Update (June 2025)
vendor_paloalto·2025-06-11·CVSS 5.1
[MEDIUM] PAN-SA-2025-0011 Chromium and Prisma Browser: Monthly Vulnerability Update (June 2025)
PAN-SA-2025-0011 Chromium and Prisma Browser: Monthly Vulnerability Update (June 2025)
Palo Alto Networks incorporated the following Chromium security fixes into our products: https://chromereleases.googleblog.com/2025/06/extended-stable-updates-for-desktop.html https://chromereleases.googleblog.com/2025/06/stable-channel-update-for-desktop.html https://chromereleases.googleblog.com/2025/05/extended-stable-updates-for-desktop.html https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_27.html https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html Additionally, a vulnerability in Prisma Browser was also addressed. CVE Summary CVE-2025-4664 Insufficient policy enforcement in Loader CVE-2025-5063 Use after free in Compositing CVE-2025
Chrome
Long Term Support Channel Update for ChromeOS: CVE-2025-4664
vendor_chrome·2025-06-06·CVSS 4.3
CVE-2025-4664 [MEDIUM] Long Term Support Channel Update for ChromeOS: CVE-2025-4664
Long Term Support Channel Update for ChromeOS
CVE-2025-4664
Microsoft
Chromium: CVE-2025-4664 Insufficient policy enforcement in Loader
vendor_msrc·2025-05-13·CVSS 4.3
CVE-2025-4664 [MEDIUM] Chromium: CVE-2025-4664 Insufficient policy enforcement in Loader
Chromium: CVE-2025-4664 Insufficient policy enforcement in Loader
Description: This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware of reports that an exploit for CVE-2025-4664 exists in the wild.
FAQ: Why is this Chrome CVE included in the Security Update Guide?
The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.
How can I see the version of the browser?
In your Microsoft Edge browser, click on the 3 dots (...) on the very
Debian
CVE-2025-4664: chromium - Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.1...
vendor_debian·2025·CVSS 4.3
CVE-2025-4664 [MEDIUM] CVE-2025-4664: chromium - Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.1...
Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Scope: local
bookworm: resolved (fixed in 136.0.7103.113-1~deb12u1)
bullseye: open
forky: resolved (fixed in 136.0.7103.113-1)
sid: resolved (fixed in 136.0.7103.113-1)
trixie: resolved (fixed in 136.0.7103.113-1)
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Google fixes eighth Chrome zero-day exploited in attacks in 2025
blogs_bleepingcomputer·2025-12-11·CVSS 9.8
[CRITICAL] Google fixes eighth Chrome zero-day exploited in attacks in 2025
## Google fixes eighth Chrome zero-day exploited in attacks in 2025
## Sergiu Gatlan
The company has now fixed this high-severity vulnerability for users in the Stable Desktop channel, with new versions rolling out worldwide to Windows (143.0.7499.109), macOS (143.0.7499.110), and Linux users (143.0.7499.109).
While the security patch could take days or weeks to reach all users, according to Google, it was immediately available when BleepingComputer checked for updates earlier today.
If you prefer not to update manually, you can also let your web browser check for updates automatically and install them after the next launch.
Although Google didn't share any other details about this zero-day bug, including the CVE ID used to track it, and said it's still "under coordination."
"Access
Bleepingcomputer
Google fixes new Chrome zero-day flaw exploited in attacks
blogs_bleepingcomputer·2025-11-18·CVSS 9.8
[CRITICAL] Google fixes new Chrome zero-day flaw exploited in attacks
## Google fixes new Chrome zero-day flaw exploited in attacks
## Sergiu Gatlan
Google fixed the zero-day flaw with the release of 142.0.7444.175/.176 for Windows, 142.0.7444.176 for Mac, and 142.0.7444.175 for Linux.
While these new versions are scheduled to roll out to all users in the Stable Desktop channel over the coming weeks, the patch was immediately available when BleepingComputer checked for the latest updates.
Although the Chrome web browser updates automatically when security patches are available, users can also confirm they're running the latest version by going to Chrome menu > Help > About Google Chrome, letting the update finish, and then clicking on the 'Relaunch' button to install it.
Although Google has already confirmed that CVE-2025-13223 was used in attacks, i
Qualys
Patch Automation for Browsers with TruRisk™ Eliminate
blogs_qualys·2025-09-24·CVSS 9.8
CVE-2025-10585 [CRITICAL] Patch Automation for Browsers with TruRisk™ Eliminate
## Table of Contents
Conclusion: Automated Patching is the Smarter Way
Recently, CISA added a Chrome zero-day vulnerability, CVE-2025-10585 , to its Known Exploited Vulnerabilities (KEV) Catalog , confirming that threat actors are actively exploiting this high-severity flaw in real-world attacks.
This vulnerability affects multiple web browsers that utilize the Chromium engine, including Google Chrome, Microsoft Edge, Opera, and Brave.
CISA strongly urges all organizations and individual users to prioritize updating their browsers as part of essential vulnerability management practices.
A patch is available. You can find the vulnerability in Qualys VMDR and eliminate the risk as follows:
Find the vulnerability in VMDR
View Risk Elimination
Create Remediation job
We just launched a
Qualys
Automated Browser Patching with Qualys TruRisk™ Eliminate | Qualys
blogs_qualys·2025-09-24·CVSS 9.8
CVE-2025-10585 [CRITICAL] Automated Browser Patching with Qualys TruRisk™ Eliminate | Qualys
#### Table of Contents
- Conclusion: Automated Patching is the Smarter Way
Recently, CISA added a Chrome zero-day vulnerability, CVE-2025-10585, to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that threat actors are actively exploiting this high-severity flaw in real-world attacks.
This vulnerability affects multiple web browsers that utilize the Chromium engine, including Google Chrome, Microsoft Edge, Opera, and Brave.
CISA strongly urges all organizations and individual users to prioritize updating their browsers as part of essential vulnerability management practices.
A patch is available. You can find the vulnerability in Qualys VMDR and eliminate the risk as follows:
- Find the vulnerability in VMDR
- View Risk Elimination
- Create Remediation job
We just laun
Bleepingcomputer
Google patches sixth Chrome zero-day exploited in attacks this year
blogs_bleepingcomputer·2025-09-18·CVSS 9.8
[CRITICAL] Google patches sixth Chrome zero-day exploited in attacks this year
## Google patches sixth Chrome zero-day exploited in attacks this year
## Sergiu Gatlan
Google has released emergency security updates to patch a Chrome zero-day vulnerability, the sixth one tagged as exploited in attacks since the start of the year.
While it didn't specifically say whether this security flaw is still being actively abused in the wild, the company warned that it has a public exploit, a common indicator of active exploitation.
"Google is aware that an exploit for CVE-2025-10585 exists in the wild," Google warned in a security advisory published on Wednesday.
This high-severity zero-day vulnerability is caused by a type confusion weakness in the web browser's V8 JavaScript engine, reported by Google's Threat Analysis Group on Tuesday.
Google TAG frequently flags zero-d
Bleepingcomputer
Google fixes actively exploited sandbox escape zero day in Chrome
blogs_bleepingcomputer·2025-07-16·CVSS 8.8
[HIGH] Google fixes actively exploited sandbox escape zero day in Chrome
## Google fixes actively exploited sandbox escape zero day in Chrome
## Bill Toulas
ANGLE (Almost Native Graphics Layer Engine) is an open-source graphics abstraction layer used by Chrome to translate OpenGL ES API calls to Direct3D, Metal, Vulkan, and OpenGL.
Because ANGLE processes GPU commands from untrusted sources like websites using WebGL, bugs in this component can have a critical security impact.
The vulnerability allows a remote attacker using a specially crafted HTML page to execute arbitrary code within the browser’s GPU process. Google has not provided the technical details on how triggering the issue could lead to escaping the browser's sandbox.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” states Google in the
Krebs
Patch Tuesday, June 2025 Edition
blogs_krebs·2025-06-11·CVSS 8.8
CVE-2025-33053 [HIGH] Patch Tuesday, June 2025 Edition
Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public.
The sole zero-day flaw this month is CVE-2025-33053 , a remote code execution flaw in the Windows implementation of WebDAV — an HTTP extension that lets users remotely manage files and directories on a server. While WebDAV isn’t enabled by default in Windows, its presence in legacy or specialized systems still makes it a relevant target, said Seth Hoyt , senior security engineer at Automox .
Adam Barnett , lead software engineer at Rapid7 , said Microsoft’s advisory for CVE-2025-33053 does
Krebs
Patch Tuesday, June 2025 Edition
blogs_krebs·2025-06-10·CVSS 8.8
CVE-2025-33053 [HIGH] Patch Tuesday, June 2025 Edition
Microsoft today released security updates to fix at least 67 vulnerabilities in its Windows operating systems and software. Redmond warns that one of the flaws is already under active attack, and that software blueprints showing how to exploit a pervasive Windows bug patched this month are now public.
The sole zero-day flaw this month is CVE-2025-33053, a remote code execution flaw in the Windows implementation of WebDAV — an HTTP extension that lets users remotely manage files and directories on a server. While WebDAV isn’t enabled by default in Windows, its presence in legacy or specialized systems still makes it a relevant target, said Seth Hoyt, senior security engineer at Automox.
Adam Barnett, lead software engineer at Rapid7, said Microsoft’s advisory for CVE-2025-33053 does not m
Checkpoint
19th May – Threat Intelligence Report
blogs_checkpoint·2025-05-19
CVE-2025-31324 19th May – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 19th May – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 19th May, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Fashion giant Dior confirmed a data breach that exposed customer information from its Fashion and Accessories line. The leaked data includes names, gender, phone numbers, email addresses, postal addresses, and purchase history with customers in South Korea and China most affected. Specific details regarding the quantity and addit
Bleepingcomputer
CISA tags recently patched Chrome bug as actively exploited
blogs_bleepingcomputer·2025-05-16·CVSS 4.3
CVE-2025-4664 [MEDIUM] CISA tags recently patched Chrome bug as actively exploited
## CISA tags recently patched Chrome bug as actively exploited
## Sergiu Gatlan
On Thursday, CISA warned U.S. federal agencies to secure their systems against ongoing attacks exploiting a high-severity vulnerability in the Chrome web browser.
Solidlab security researcher Vsevolod Kokorin discovered the flaw (CVE-2025-4664) and shared technical details online on May 5th. Google released security updates to patch it on Wednesday.
As Kokorin explained, the vulnerability is due to insufficient policy enforcement in Google Chrome's Loader component, and successful exploitation can allow remote attackers to leak cross-origin data via maliciously crafted HTML pages.
"You probably know that unlike other browsers, Chrome resolves the Link header on subresource requests. But what's the problem?
2025-05-14
Published
Exploited in the wild