Google on Wednesday launched updates to handle 4 safety points in its Chrome internet browser, together with one for which it stated there exists an exploit within the wild.
The high-severity vulnerability, tracked as CVE-2025-4664 (CVSS rating: 4.3), has been characterised as a case of inadequate coverage enforcement in a element referred to as Loader.
“Inadequate coverage enforcement in Loader in Google Chrome previous to 136.0.7103.113 allowed a distant attacker to leak cross-origin information by way of a crafted HTML web page,” in accordance with a description of the flaw.
The tech big credited safety researcher Vsevolod Kokorin (@slonser_) with detailing the flaw in X on Could 5, 2025, including it is conscious “an exploit for CVE-2025-4664 exists within the wild.”
“Not like different browsers, Chrome resolves the Hyperlink header on sub-resource requests,” Kokorin stated in a sequence of posts on X earlier this month. “The problem is that the Hyperlink header can set a referrer-policy. We are able to specify unsafe-url and seize the complete question parameters.”
The researcher went on so as to add that question parameters can comprise delicate information that may result in a full account takeover and that the question parameter info might be stolen by way of a picture from a third-party useful resource.
It isn’t clear if the vulnerability was exploited in a malicious context outdoors of this proof-of-concept (PoC) demonstration. CVE-2025-4664 is the second vulnerability after CVE-2025-2783 to have come underneath “energetic exploitation” within the wild.
To safeguard in opposition to potential threats, it is suggested to replace their Chrome browser to variations 136.0.7103.113/.114 for Home windows and Mac, and 136.0.7103.113 for Linux. Customers of different Chromium-based browsers comparable to Microsoft Edge, Courageous, Opera, and Vivaldi are additionally suggested to use the fixes as and after they develop into out there.
