A fast patch for a sneaky cross-origin loophole

Google has pushed an emergency update to the stable channel of its Chrome browser after a security researcher demonstrated a simple trick that lets one website siphon off information meant for another. The glitch, catalogued as CVE-2025-4664, sits inside Chrome’s “Loader” component and stems from a gap in ­policy enforcement. In practical terms that gap allows a malicious page to use an ordinary HTML header to force Chrome to reveal the full address—including any query-string secrets—of privileged web content embedded from a different origin. Because login flows, password reset links and single-sign-on services often store tokens in those query strings, the weakness can open the door to full account takeovers. Google classifies the issue as high-severity and, crucially, acknowledges that “an exploit exists in the wild,” signalling that the proof of concept is already circulating outside the company’s walls. The Hacker News

The researcher who pulled the fire alarm

The bug did not surface through Google’s own fuzzing farms or a bug-bounty submission. Instead, Ukrainian security specialist Vsevolod “Slonser” Kokorin posted a series of notes on X on 5 May explaining how Chrome, unlike other browsers, automatically resolves the HTML Link header when that header appears in sub-resource requests. By specifying a referrer-policy: unsafe-url, Kokorin showed that an attacker could trick Chrome into printing the full referring URL—including all query parameters—inside a request that travels to a domain the attacker controls. A single-pixel image tag is enough to pull off the heist. Kokorin’s demo used an OAuth redirect loaded inside an <iframe> to steal an access token, underscoring how little code is needed to weaponise the flaw. The Hacker News

Four fixes, one live exploit

Google shipped the patch on Wednesday (14 May 2025 in the U.S. release schedule) as part of Chrome 136.0.7103.113 for Windows and Linux and 136.0.7103.114 for macOS. Three additional issues—one in Mojo IPC and two rated medium—were also corrected, but only CVE-2025-4664 carries the “exploit in the wild” warning. The company is, as usual, withholding deeper technical details until a majority of users have installed the update. Earlier this spring Google dealt with a different actively exploited Chrome zero-day, CVE-2025-2783, so CVE-2025-4664 becomes the second Chrome flaw this year known to be under live attack before a fix was available. SecurityWeekBleepingComputer

Why the bug is more dangerous than it looks

Cross-origin leaks are not new, but most browsers guard strictly against them. What makes CVE-2025-4664 stand out is the mundane piece of web plumbing it abuses—the Link header—and the tiny amount of code required to stage an attack. Many websites allow images to load from third-party CDNs or analytics platforms, making the insertion of a malicious <img> tag trivial. Because the vulnerability leaks data at the HTTP layer, common client-side defences such as Content Security Policy or SameSite cookies offer limited help. Cloud services that embed OAuth flows or payment widgets inside iframes are particularly exposed. Security researchers warn that criminals often replay public proofs of concept against big targets within hours of release; fresh zero-days make enticing bait for phishing kits, malvertising campaigns and targeted espionage. BleepingComputer

What users and admins should do right now

For individual users the remedy is straightforward: restart Chrome after visiting Help → About Google Chrome to pull down version 136.0.7103.113 (Windows/Linux) or 136.0.7103.114 (macOS). The browser will complete the patch as soon as it restarts. Administrators managing fleets can roll out the update through Google’s enterprise policies or their usual software-distribution tools. Because Edge, Brave, Opera and Vivaldi all share the same Chromium base, their maintainers are expected to deliver equivalent fixes in the coming days; users of those browsers should keep an eye on release notes and apply updates as soon as they land.

A quick takeaway for developers

If your application relies on query-string parameters to ferry tokens or other sensitive data, now is a good moment to revisit that design. Tokens passed inside the URL bar are exposed to browser history, network logs and, as CVE-2025-4664 shows, even image requests from a hostile domain. Moving secrets to signed cookies or POST bodies, tightening Referrer-Policy headers, and validating the origins of sub-resource requests are cheap safeguards that can blunt this and future cross-origin data leaks.

Chrome’s rapid auto-update model means most users will be protected within days, yet history shows that unpatched endpoints linger for months in corporate environments and on kiosk or embedded systems. With a working exploit already public, that lag could be all an attacker needs. Keeping Chrome and its cousins up to date remains one of the easiest wins in browser security.