Google has released updates to address a high-severity vulnerability in its Chrome web browser, CVE-2025-4664, which allows remote attackers to leak cross-origin data via crafted HTML pages. The flaw was identified by security researcher Vsevolod Kokorin and affects a component called Loader.
The vulnerability is characterized as insufficient policy enforcement in the Loader component and can be exploited by specifying an unsafe-url referrer policy in query parameters, which can lead to a full account takeover. Google advises users to update their Chrome browser to versions 136.0.7103.113/.114 for Windows and Mac, and 136.0.7103.113 for Linux.
The vulnerability has already been exploited in the wild, with at least one reported exploit in the wild, making it a high-priority fix. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-4664 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply the fixes by June 5, 2025.
Source: https://thehackernews.com/2025/05/new-chrome-vulnerability-enables-cross.html