Summary
A flaw in Chrome’s Loader lets a crafted web page cause the browser to disclose cross-origin data it should keep private. By abusing how Chrome handles Link headers and referrer-policy for sub-resource requests, an attacker can capture full referrer URLs (including sensitive query parameters such as OAuth tokens) and send them to an attacker-controlled server.
Urgent Actions Required
- Update Chrome to 136.0.7103.113 (Windows/Linux) or 136.0.7103.114 (macOS) immediately.
- If you can’t patch yet, avoid using affected versions.
- Regularly check Chrome versions and keep automatic updates on.
- Watch for unusual browser activity or unexpected data leaks.
- Follow CISA BOD 22-01 and Google’s security guidance.
Which Systems Are Vulnerable to CVE-2025-4664?
Technical Overview
- Vulnerability Type: Insufficient Policy Enforcement in Chrome’s Loader Component
- Affected Software/Versions:
Google Chrome versions prior to 136.0.7103.113 (Windows/Linux) and prior to 136.0.7103.114 (macOS) - Attack Vector: Network (via crafted HTML page)
- CVSS Score: 4.3
- CVSS Vector: v3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
- Patch Availability: Yes, available
Chrome Releases: Stable Channel Update for Desktop
How Does the CVE-2025-4664 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-4664?
Vulnerability Root Cause:
The flaw is in Chrome’s Loader component failing to enforce referrer and origin policies correctly for subresource requests. Chrome processes the HTTP Link header on those requests and accepts a referrer-policy set there. A crafted Link header can force Chrome to send full referrer URLs (including query strings like OAuth tokens) to thirdparty sites, allowing attackers to capture sensitive data.
How Can You Mitigate CVE-2025-4664?
If immediate patching is delayed or not possible:
- Remove or block the vulnerable Chrome/Chromium builds from use.
- If a fixed build isn’t available on a platform, discontinue use of that browser until a patched release is installed.
- Use your vulnerability detection tooling to find all affected hosts and track remediation status.
- Isolate or restrict vulnerable endpoints from access to sensitive systems or services until they are updated.
- Monitor outbound browser traffic for unexpected requests that include full referrer URLs or query parameters sent to unfamiliar third-party domains.
- Verify remediation by checking browser versions (for example via chrome://settings/help) and confirming inventory/patch reports show the patched builds.
- Follow CISA’s guidance (KEV listing and BOD 22-01 recommendations) and Google’s update instructions as you apply mitigations.
- Advise users to avoid visiting untrusted or suspicious websites while systems remain unpatched.
Which Assets and Systems Are at Risk?
Asset Types Affected:
- Web Browsers – Google Chrome versions earlier than 136.0.7103.113.
- Chromium-based Applications – Any apps or systems that embed the vulnerable Chrome Loader component.
Business-Critical Systems at Risk:
- Enterprise and personal systems using outdated Chrome versions – Possible exposure of sensitive data through malicious web pages.
- Organizations relying on Chrome for secure browsing – Risk of leaking cross-origin data, including tokens or URLs with sensitive parameters.
Exposure Level:
- Internet-connected systems – Users visiting malicious or compromised websites are most at risk.
- Unpatched environments – Devices where Chrome is not updated to 136.0.7103.113 or .114 remain exploitable.
Will Patching CVE-2025-4664 Cause Downtime?
Patch application impact: Low. Updating to Chrome versions 136.0.7103.113 (Windows/Linux) or 136.0.7103.114 (macOS) resolves the issue. The update installs automatically or with minimal user action and causes no downtime or service disruption.
How Can You Detect CVE-2025-4664 Exploitation?
Exploitation Signatures:
- Outbound requests to attacker domains that include full Referer URLs with query strings.
- Link headers allowing full referrer URLs (e.g., unsafe-url)
- Public PoC or GitHub repos for CVE-2025-4664
Indicators of Compromise (IOCs/IOAs):
- Endpoints using Chrome/Chromium below 136.0.7103.113 (Windows/Linux) or 136.0.7103.114 (macOS).
- Network logs showing referrer URLs with sensitive tokens sent to unknown third-party hosts.
- Detection of known public PoC files or exploit code.
Behavioral Indicators:
- Browsers issuing subresource requests that carry full referrer URLs (including query strings) to external domains.
- Sudden appearance of OAuth/session parameters in external-host logs or network captures.
Alerting Strategy:
- Priority: High
- Trigger alerts for:
- Network event where a referrer URL containing query parameters is sent to an unrecognized third-party host.
- Discovery of PoC/exploit artefacts referencing CVE-2025-4664 in internal logs or repositories.
Remediation & Response
Remediation Timeline:
- Immediate: Update Chrome to 136.0.7103.113 (Windows/Linux) or 136.0.7103.114 (macOS)
- Short term: Check all endpoints show the updated version
- CISA notes: Treat this as urgent; fix by June 5, 2025 per KEV guidance
Incident Response Considerations:
- If exposed, isolate affected machines.
- Collect network, proxy/CDN logs, and alerts referencing CVE-2025-4664.
- Check referrer URLs for sensitive data like tokens or session IDs. If such tokens appear to have been leaked, revoke or rotate them and reset impacted accounts.
- Document findings (hosts, timestamps, leaked parameters) and track remediation status in your vulnerability system.
- After containment and patching, maintain enhanced monitoring for any recurring signs of referrer-based leaks or related PoC activity.
Compliance & Governance Notes
Standards Impacted:
- ISO 27001: A.12.6.1 – Management of technical vulnerabilities.
- NIST 800-53: SI-2 – Flaw remediation and patch management.
- CISA KEV guidance / BOD 22-01 – Follow remediation deadlines for known exploited vulnerabilities.
Audit Trail Requirement:
- Log all activity showing CVE-2025-4664 attempts with timestamp, IP, and URL.
- Record patch details: date, engineer, hosts, and Chrome version.
- Maintain a revision-controlled change log for Chrome updates in your change-management system.
- Provide regular status reports to security or compliance officers until all affected systems are patched.
Policy Alignment:
- Scan Chrome monthly and enable auto-updates.
- Update Incident Response Plan: detect, isolate, fix.
- Track and patch all Chrome endpoints by June 5, 2025.
Where Can I Find More Information on CVE-2025-4664?
- ^NVD – CVE-2025-4664
- ^New Chrome Vulnerability Enables Cross-Origin Data Leak via Loader Referrer Policy
- ^CVE-2025-4664 – How a Chrome Loader Bug Let Attackers Leak Cross-Origin Data (Exploit & Analysis)
- ^CVE-2025-4664 | Tenable®
- ^CISA Warns of Google Chromium 0-Day Vulnerability Actively Exploited in the Wild – Patch Now!
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 4.3 | Medium severity vulnerability indicating potential data exposure through cross-origin leaks |
| Attack Vector | Network | Exploitable remotely via a crafted HTML page without local access |
| Attack Complexity | Low | Exploitation is straightforward; no special conditions required |
| Privileges Required | None | No authentication or elevated privileges needed |
| User Interaction | Required | User must visit a malicious webpage for the exploit to trigger |
| Scope | UnChanged | Exploitation affects only the Chrome Loader component |
| Confidentiality Impact | Low | Attack can leak cross-origin data such as OAuth tokens |
| Integrity Impact | None | Exploit does not allow modification of data |
| Availability Impact | None | No impact on system availability; browser continues functioning normally |
