CVE-2025-4664 is a high-severity vulnerability in the Loader component of Google Chrome, caused by insufficient policy enforcement. Successful exploitation allows a remote attacker to leak cross-origin data using crafted HTML pages. This is primarily done by manipulating the Link header to set an unsafe referrer-policy, exposing sensitive query parameters.
Key Details
- Date Added to CISA KEV Catalog: May 15, 2025
- Vendor: Google
- Product: Chrome (pre-136.0.7103.113)
- CVSS Score: 4.3 (Medium)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Exploitation Status: Confirmed – Actively Exploited
- Patch Status: Fixed in Chrome version 136.0.7103.113 (Windows/Linux) and 136.0.7103.114 (Mac)
How the Vulnerability Works
Unlike most browsers, Chrome allows subresource requests (e.g., images) to interpret the Link header, which can include a referrer-policy. An attacker can exploit this behavior by setting referrer-policy: unsafe-url in a malicious response. This causes the victim’s browser to attach the full referring URL, including query parameters, in the subsequent request to a third-party domain controlled by the attacker.
In practical terms, if a user is redirected through an OAuth or SSO flow and a sensitive token appears in the URL, an attacker can trigger an image load or similar request from a compromised site, capture the referrer, and extract confidential tokens or session data.
Exploitation in the Wild
On May 15th, The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-4664 to its Known Exploited Vulnerabilities (KEV) catalog. This triggered mandatory patching deadlines for U.S. federal agencies.
What You Should Do
- Update immediately to Chrome version 136.0.7103.113 or later on all platforms.
- Ensure Chromium-based browsers like Edge, Brave, or Vivaldi are also patched.
- Consider reviewing your OAuth implementations and subresource request handling.
At OP Innovate, we continuously monitor emerging vulnerabilities like these, especially those with implications for data leakage and identity-based threats. If you need support validating your exposure or testing your applications for similar weaknesses, our WASP platform is ready.
