On Thursday, CISA warned U.S. federal businesses to safe their methods towards ongoing assaults exploiting a high-severity vulnerability within the Chrome internet browser.
Solidlab safety researcher Vsevolod Kokorin found the flaw (CVE-2025-4664) and shared technical particulars on-line on Could fifth. Google launched safety updates to patch it on Wednesday.
As Kokorin defined, the vulnerability is due to inadequate coverage enforcement in Google Chrome’s Loader part, and profitable exploitation can enable distant attackers to leak cross-origin information through maliciously crafted HTML pages.
“You most likely know that not like different browsers, Chrome resolves the Hyperlink header on subresource requests. However what’s the issue? The difficulty is that the Hyperlink header can set a referrer-policy. We are able to specify unsafe-url and seize the complete question parameters,” Kokorin famous.
“Question parameters can include delicate information – for instance, in OAuth flows, this may result in an Account Takeover. Builders hardly ever think about the potential for stealing question parameters through a picture from a Third-party useful resource.”
Whereas Google did not disclose if the vulnerability was beforehand abused in assaults or if it is nonetheless being exploited, it warned in a safety advisory that it has a public exploit, which is the way it normally hints at energetic exploitation.
Flagged as actively exploited
Someday later, CISA CONFIRMED CVE-2025-4664 is being abused within the wild and added it to the Identified Exploited Vulnerabilities catalogwhich lists safety flaws actively exploited in assaults.
As mandated by the November 2021 Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Government Department (FCEB) businesses should patch their Chrome set up inside three weeks, by Could seventh, to safe their methods towards potential breaches.
Whereas this directive solely applies to federal businesses, all community defenders are suggested to prioritize patching this vulnerability as quickly as doable.
“These kind of vulnerabilities are frequent assault vectors for malicious cyber actors and pose important dangers to the federal enterprise,” the cybersecurity company warned.
That is the second actively exploited Chrome zero-day patched by Google this yr, after one other high-severity Chrome zero-day bug (CVE-2025-2783), which was abused to focus on Russian authorities organizations, media retailers, and academic establishments in cyber-espionage assaults.
Kaspersky researchers who noticed the zero-day assaults mentioned that the menace actors used CVE-2025-2783 exploits to bypass Google Chrome’s sandbox protections and infect targets with malware.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and easy methods to defend towards them.
