Google has patched a critical flaw in Chrome and it’s one that’s already being exploited. On Wednesday, the tech giant released an update for Chrome 136, fixing four vulnerabilities, including one high-severity issue tracked as CVE-2025-4664, which has been confirmed to have an active exploit in the wild.
The bug, rated as a high-risk security vulnerability with a CVSS score of 4.3, stems from insufficient policy enforcement in Chrome’s Loader component. Left unpatched, it allows attackers to leak cross-origin data by crafting malicious HTML pages.
In plain terms, an attacker could potentially exploit this to steal sensitive user data from other websites, a serious concern for anyone using Chrome to access accounts with query-based URL parameters—such as password reset links, authentication tokens, or email-based logins.
Security Researcher Details Chrome Exploit on X
The issue was discovered and responsibly disclosed by security researcher Vsevolod Kokorin (@slonser_), who posted technical insights on May 5, 2025, via X (formerly Twitter). According to Kokorin, the Chrome Loader fails to adequately enforce security policies tied to the Link header on sub-resource requests.
“Unlike other browsers, Chrome resolves the Link header on sub-resource requests,” Kokorin explained. “That means a malicious actor could set the referrer-policy to ‘unsafe-url’ and extract sensitive query parameters—potentially enough for a full account takeover.”
In a proof-of-concept (PoC) demonstration, Kokorin showed how this vulnerability could be exploited by embedding a third-party image to exfiltrate sensitive URL data from unsuspecting users.
Google has not confirmed whether this flaw has been used maliciously in the wild beyond the PoC, but its advisory clearly states an exploit exists, making it the second actively exploited Chrome flaw in 2025 after CVE-2025-2783.
Update Now: Patch Details and Protection Advice
Users are strongly urged to update their Chrome browsers immediately to one of the following versions:
- Windows & macOS: Chrome 136.0.7103.113 or 136.0.7103.114
- Linux: Chrome 136.0.7103.113
If you’re using a Chromium-based browser like Microsoft Edge, Brave, Vivaldi, or Opera, monitor their respective update channels and apply patches as soon as they are released.
These updates are crucial not just for Chrome users but for the broader Chromium browser ecosystem. Unpatched, the Chrome CVE-2025-4664 vulnerability leaves users exposed to cross-origin data leaks and potential hijacking of online accounts.
