Article Details
Scrape Timestamp (UTC): 2025-05-15 08:27:12.330
Original Article Text
Click to Toggle View
Google fixes high severity Chrome flaw with public exploit. Google has released emergency security updates to patch a high-severity vulnerability in the Chrome web browser that could lead to full account takeover following successful exploitation. While it's unclear if this security flaw has been used in attacks, the company warned that it has a public exploit, which is how it usually hints at active exploitation. "Google is aware of reports that an exploit for CVE-2025-4664 exists in the wild," Google said in a Wednesday security advisory. The vulnerability was discovered by Solidlab security researcher Vsevolod Kokorin and is described as an insufficient policy enforcement in Google Chrome's Loader component that lets remote attackers leak cross-origin data via maliciously crafted HTML pages. "You probably know that unlike other browsers, Chrome resolves the Link header on subresource requests. But what's the problem? The issue is that the Link header can set a referrer-policy. We can specify unsafe-url and capture the full query parameters," Kokorin explained. "Query parameters can contain sensitive data - for example, in OAuth flows, this might lead to an Account Takeover. Developers rarely consider the possibility of stealing query parameters via an image from a 3rd-party resource." Google fixed the flaw for users in the Stable Desktop channel, with patched versions (136.0.7103.113 for Windows/Linux and 136.0.7103.114 for macOS) rolling out to users worldwide. Although the company says the security updates will roll out over the coming days and weeks, they were immediately available when BleepingComputer checked for updates. Users who don't want to update Chrome manually can also let the browser automatically check for new updates and install them after the next launch. In March, Google also fixed a high-severity Chrome zero-day bug (CVE-2025-2783) that was abused to deploy malware in espionage attacks targeting Russian government organizations, media outlets, and educational institutions. Kaspersky researchers who discovered the actively exploited zero-day said that the attackers use CVE-2025-2783 exploits to bypass Chrome sandbox protections and infect targets with malware. Last year, Google patched 10 zero-days disclosed during the Pwn2Own hacking competition or exploited in attacks. Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
Daily Brief Summary
Google has released updates to fix a high-severity vulnerability in Chrome that could potentially lead to account takeovers.
The flaw (CVE-2025-4664) was publicly exploitable and found in Chrome’s Loader component allowing cross-origin data leakage through malicious HTML pages.
The vulnerability was first reported by a Solidlab security researcher and relates to the improper enforcement of referrer-policy in HTTP headers.
Exploitation of this vulnerability could expose sensitive user data, such as OAuth query parameters, which might lead to unauthorized account access.
Patches have been issued for desktop versions of Chrome (136.0.7103.113 for Windows/Linux and 136.0.7103.114 for macOS).
Google encourages users to update their browser immediately to the latest patched version or allow Chrome to automatically install updates.
The company had previously addressed a Chrome zero-day vulnerability earlier in the year used in targeted attacks against Russian entities.
Google’s proactive patching approach continues as a response to the increasing number of zero-day vulnerabilities being exploited.