Insufficient Policy Enforcement in Google Chrome Affects Cross-Origin Data Security
CVE-2025-4664
Key Information:
Badges
What is CVE-2025-4664?
CVE-2025-4664 is a high-severity vulnerability found in Google Chrome, specifically in the Loader component, affecting versions prior to 136.0.7103.113. This security flaw stems from insufficient policy enforcement, which can be exploited by a remote attacker to leak cross-origin data through a specially crafted HTML page. Given that Google Chrome is one of the most widely used web browsers globally, this vulnerability poses a significant risk to organizations relying on it for secure web interactions. When users navigate to a maliciously designed website, attackers could gain access to sensitive information that should be protected by the browser's security policies, potentially leading to unauthorized access to sensitive data, identity theft, or further exploitation of networked systems.
Potential impact of CVE-2025-4664
-
Data Leakage: Organizations could experience unauthorized access to cross-origin data, resulting in the exposure of sensitive user information or internal data. This could severely impact privacy and compliance with data protection regulations.
-
Increased Attack Surface: The presence of this vulnerability broadens the potential attack vectors for malicious actors, encouraging them to devise more sophisticated attacks that leverage cross-origin data vulnerabilities.
-
Reputation Damage: A successful exploitation of this vulnerability could lead to data breaches, which may erode customer trust and damage the organization's reputation, particularly if sensitive customer data is compromised.
CISA has reported CVE-2025-4664
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-4664 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Chrome 136.0.7103.113
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
HackreadCVE-2025-4664Chrome 0-Day CVE-2025-4664 Exposes Windows, Linux Browser Activity
A Chrome zero-day bug, CVE-2025-4664, exposes login tokens on Windows and Linux. Google has issued a fix, users should update immediately.
2 weeks ago
Security AffairsCVE-2025-4664U.S. CISA adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog
U.S. CISA adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog.
3 weeks ago
Help Net SecurityCVE-2025-4664CISA: Recently fixed Chrome vulnerability exploited in the wild (CVE-2025-4664) - Help Net Security
A Chrome vulnerability (CVE-2025-4664) that Google has fixed on Wednesday is being leveraged by attackers, CISA has confirmed.
3 weeks ago
References
CVSS V3.1
Timeline
- π‘
Public PoC available
- π₯
Vulnerability reached the number 1 worldwide trending spot
- π
Vulnerability started trending
- πΎ
Exploit known to exist
- π¦
CISA Reported
- π°
First article discovered by SecurityWeek
Vulnerability published
Vulnerability Reserved