On Thursday, CISA warned U.S. federal companies to safe their methods towards ongoing assaults exploiting a high-severity vulnerability within the Chrome net browser.
Solidlab safety researcher Vsevolod Kokorin found the flaw (CVE-2025-4664) and shared technical particulars on-line on Could fifth. Google launched safety updates to patch it on Wednesday.
As Kokorin defined, the vulnerability is due to inadequate coverage enforcement in Google Chrome’s Loader part, and profitable exploitation can permit distant attackers to leak cross-origin knowledge by way of maliciously crafted HTML pages.
“You most likely know that in contrast to different browsers, Chrome resolves the Hyperlink header on subresource requests. However what’s the issue? The problem is that the Hyperlink header can set a referrer-policy. We will specify unsafe-url and seize the complete question parameters,” Kokorin famous.
“Question parameters can include delicate knowledge – for instance, in OAuth flows, this would possibly result in an Account Takeover. Builders hardly ever take into account the potential of stealing question parameters by way of a picture from a Third-party useful resource.”
Whereas Google did not disclose if the vulnerability was beforehand abused in assaults or if it is nonetheless being exploited, it warned in a safety advisory that it has a public exploit, which is the way it normally hints at lively exploitation.
Flagged as actively exploited
Sooner or later later, CISA confirmed CVE-2025-4664 is being abused within the wild and added it to the Identified Exploited Vulnerabilities catalog, which lists safety flaws actively exploited in assaults.
As mandated by the November 2021 Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Govt Department (FCEB) companies should patch their Chrome set up inside three weeks, by Could seventh, to safe their methods towards potential breaches.
Whereas this directive solely applies to federal companies, all community defenders are suggested to prioritize patching this vulnerability as quickly as attainable.
“These kind of vulnerabilities are frequent assault vectors for malicious cyber actors and pose vital dangers to the federal enterprise,” the cybersecurity company warned.
That is the second actively exploited Chrome zero-day patched by Google this 12 months, after one other high-severity Chrome zero-day bug (CVE-2025-2783), which was abused to focus on Russian authorities organizations, media shops, and academic establishments in cyber-espionage assaults.
Kaspersky researchers who noticed the zero-day assaults mentioned that the menace actors used CVE-2025-2783 exploits to bypass Google Chrome’s sandbox protections and infect targets with malware.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and how you can defend towards them.
