On Wednesday, Google released updates to address four security vulnerabilities in its Chrome browser, including one that the company says is being actively exploited in the wild.
The high-severity issue, tracked as CVE-2025-4664 (CVSS score: 4.3), has been described as an instance of insufficient policy enforcement in a component called Loader.
“Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak data from different origins via a specially crafted HTML page,” reads the official description of the flaw.
Google credited security researcher Vsevolod Kokorin (@slonser_) for reporting the issue on X on May 5, 2025, and noted that it is aware of an exploit for CVE-2025-4664 being used in the wild.
“Unlike other browsers, Chrome resolves the referrer header on subresource requests,” Kokorin explained in a series of posts on X earlier this month. “The problem is that the referrer header can specify a referrer-policy. We can set unsafe-url and capture the full query parameters.”
The researcher added that query parameters can contain sensitive data that could lead to account takeover and that those query parameters can be exfiltrated via an image from a third-party resource.
It is unclear whether the vulnerability has been used for malicious purposes beyond the proof-of-concept (PoC) demonstration. CVE-2025-4664 is the second flaw to be publicly listed as “actively exploited,” following CVE-2025-2783.
To protect against potential threats, users are advised to update Chrome to version 136.0.7103.113/.114 for Windows and macOS, and 136.0.7103.113 for Linux. Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera and Vivaldi should also apply patches when they become available.
Update
On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-4664 to its Known Exploited Vulnerabilities (KEV) catalog, which requires federal agencies to install fixes by June 5, 2025.