New Chrome Vulnerability Enables Cross-Origin Data Leak via Loader Referrer Policy

New Chrome Vulnerability Enables Cross-Origin Data Leak via Loader Referrer Policy

Posted on By CWS

Might 15, 2025Ravie LakshmananBrowser Safety / Internet Safety
Google on Wednesday launched updates to deal with 4 safety points in its Chrome net browser, together with one for which it stated there exists an exploit within the wild.
The high-severity vulnerability, tracked as CVE-2025-4664 (CVSS rating: 4.3), has been characterised as a case of inadequate coverage enforcement in a part referred to as Loader.
“Inadequate coverage enforcement in Loader in Google Chrome previous to 136.0.7103.113 allowed a distant attacker to leak cross-origin information through a crafted HTML web page,” based on an outline of the flaw.
The tech big credited safety researcher Vsevolod Kokorin (@slonser_) with detailing the flaw in X on Might 5, 2025, including it is conscious “an exploit for CVE-2025-4664 exists within the wild.”

“Not like different browsers, Chrome resolves the Hyperlink header on sub-resource requests,” Kokorin stated in a sequence of posts on X earlier this month. “The difficulty is that the Hyperlink header can set a referrer-policy. We are able to specify unsafe-url and seize the complete question parameters.”
The researcher went on so as to add that question parameters can include delicate information that may result in a full account takeover and that the question parameter info may be stolen through a picture from a third-party useful resource.
It isn’t clear if the vulnerability was exploited in a malicious context outdoors of this proof-of-concept (PoC) demonstration. CVE-2025-4664 is the second vulnerability after CVE-2025-2783 to have come below “lively exploitation” within the wild.
To safeguard in opposition to potential threats, it is suggested to replace their Chrome browser to variations 136.0.7103.113/.114 for Home windows and Mac, and 136.0.7103.113 for Linux. Customers of different Chromium-based browsers comparable to Microsoft Edge, Courageous, Opera, and Vivaldi are additionally suggested to use the fixes as and after they turn into out there.

Discovered this text fascinating? Comply with us on Twitter  and LinkedIn to learn extra unique content material we submit.

The Hacker News Tags:, , , , , , , ,

Related Posts

UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats UNC6384 Deploys PlugX via Captive Portal Hijacks and Valid Certificates Targeting Diplomats The Hacker News
New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits New Android Malware Wave Hits Banking via NFC Relay Fraud, Call Hijacking, and Root Exploits The Hacker News
How to Automate CVE and Vulnerability Advisory Response with Tines How to Automate CVE and Vulnerability Advisory Response with Tines The Hacker News
Grafana Patches CVSS 10.0 SCIM Flaw Enabling Impersonation and Privilege Escalation Grafana Patches CVSS 10.0 SCIM Flaw Enabling Impersonation and Privilege Escalation The Hacker News
Cybercrime Trends: Codespaces Exploits and More Cybercrime Trends: Codespaces Exploits and More The Hacker News
Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files The Hacker News