New Chrome Vulnerability Enables Cross-Origin Data Leak via Loader Referrer Policy

Posted on By CWS

Might 15, 2025Ravie LakshmananBrowser Safety / Internet Safety
Google on Wednesday launched updates to deal with 4 safety points in its Chrome net browser, together with one for which it stated there exists an exploit within the wild.
The high-severity vulnerability, tracked as CVE-2025-4664 (CVSS rating: 4.3), has been characterised as a case of inadequate coverage enforcement in a part referred to as Loader.
“Inadequate coverage enforcement in Loader in Google Chrome previous to 136.0.7103.113 allowed a distant attacker to leak cross-origin information through a crafted HTML web page,” based on an outline of the flaw.
The tech big credited safety researcher Vsevolod Kokorin (@slonser_) with detailing the flaw in X on Might 5, 2025, including it is conscious “an exploit for CVE-2025-4664 exists within the wild.”

“Not like different browsers, Chrome resolves the Hyperlink header on sub-resource requests,” Kokorin stated in a sequence of posts on X earlier this month. “The difficulty is that the Hyperlink header can set a referrer-policy. We are able to specify unsafe-url and seize the complete question parameters.”
The researcher went on so as to add that question parameters can include delicate information that may result in a full account takeover and that the question parameter info may be stolen through a picture from a third-party useful resource.
It isn’t clear if the vulnerability was exploited in a malicious context outdoors of this proof-of-concept (PoC) demonstration. CVE-2025-4664 is the second vulnerability after CVE-2025-2783 to have come below “lively exploitation” within the wild.
To safeguard in opposition to potential threats, it is suggested to replace their Chrome browser to variations 136.0.7103.113/.114 for Home windows and Mac, and 136.0.7103.113 for Linux. Customers of different Chromium-based browsers comparable to Microsoft Edge, Courageous, Opera, and Vivaldi are additionally suggested to use the fixes as and after they turn into out there.

Discovered this text fascinating? Comply with us on Twitter  and LinkedIn to learn extra unique content material we submit.

The Hacker News Tags:, , , , , , , ,

Related Posts

China-Linked Hackers Launch Targeted Espionage Campaign on African IT Infrastructure The Hacker News
Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT The Hacker News
CISA Warns of Suspected Broader SaaS Attacks Exploiting App Secrets and Cloud Misconfigs The Hacker News
Microsoft Launches Project Ire to Autonomously Classify Malware Using AI Tools The Hacker News
Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals The Hacker News
Meta Starts Showing Ads on WhatsApp After 6-Year Delay From 2018 Announcement The Hacker News