Cve-2025-4664: Google Fixes Chrome Zero-Day Exploited In The Wild

Published Date: May 16, 2025
Category: ShadowOpsIntel
Share:

On May 15, 2025, Google issued an emergency security advisory for a high-severity vulnerability in its Chrome web browser. This vulnerability affects the Loader component, allowing attackers to bypass cross-origin restrictions and exfiltrate sensitive data, such as OAuth tokens, by leveraging improper handling of HTTP headers. A public exploit is known to exist in the wild, increasing the urgency for remediation.

Severity Level: High

VULNERABILITY OVERVIEW:

  1. Vulnerability Details:
    • CVE: CVE-2025-4664
    • Exploit Availability: Confirmed (Public)
    • Type: Insufficient Policy Enforcement / Information Disclosure
    • Affected Versions: Chrome versions before 136.0.7103.113/.114 for Windows, Mac and before 136.0.7103.113 for Linux
    • Description: The vulnerability stems from how Google Chrome handles the Link HTTP header in subresource requests. Unlike other browsers, Chrome resolves the Link header, which allows the header to set or override the referrer-policy unexpectedly.
  2. Root Cause: At the core, the issue lies in:
    • Chrome allowing subresource requests (e.g., images) to inherit referrer-policy from a Link header.
    • The referrer-policy in these headers can be set to unsafe-url, which permits full URLs including query parameters (like tokens, IDs) to be sent in the Referer header.
    • This becomes a significant problem when:
    • A third-party image is embedded in a page.
    • The browser fetches the image and includes sensitive information in the Referer, due to the relaxed policy.
  3. Exploitation:
    • The attacker hosts a malicious HTML page or script that embeds a subresource (e.g., an image) pointing to their own server. This page is visited by the victim while authenticated with another site (e.g., using OAuth). The attacker uses:
    • Link header to force Chrome to apply referrer-policy: unsafe-url.
    • Browser sends the full referrer URL including sensitive query parameters to the attacker’s server.
    • These parameters may include OAuth tokens, session keys, or other secrets.
    • If the stolen query parameter includes an OAuth token, the attacker can perform a full account takeover of the user’s authenticated session.

Recommendations:

  1. Update Google Chrome browser with the latest security patches. Fixed versions: 136.0.7103.113/.114 for Windows, Mac and 136.0.7103.113 for Linux
  2. Users can also configure the browser to automatically check for new updates and install them after the next launch.

Source:

  • https://www.bleepingcomputer.com/news/security/google-fixes-high-severity-chrome-flaw-with-public-exploit/
  • https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.