Overview
Security researchers discovered a vulnerability in Google Chrome, identified as CVE-2025-4664. The flaw, found in the browser’s Loader component, allows attackers to bypass referrer policies and leak sensitive cross-origin data, ultimately leading to account hijacking, identity theft or unauthorized access. The issue affects Chrome versions prior to 136.0.7103.113 and other Chromium-based browsers, including Microsoft Edge and Opera. "Unlike other browsers, Chrome resolves the Link header on subresource requests," Solidlab researcher Vsevolod Kokorin explained. "But what's the problem? The issue is that the Link header can set a referrer-policy. We can specify unsafe-url and capture the full query parameters."
The vulnerability allows a malicious website to trick Chrome into sending the full URL of a referring page, which could include sensitive information such as session tokens or user identifiers when loading subresources like images. “Query parameters can contain sensitive data — for example, in OAuth flows, this might lead to an Account Takeover. Developers rarely consider the possibility of stealing query parameters via an image from a third party resource” wrote Kokorin. This behavior violates the browser’s same-origin policy, a key security feature that prevents websites from accessing data from other domains. Google confirmed "that knowledge of CVE-2025-4664 exists in the wild." While unpatched systems remain vulnerable, the attack has been mitigated in updated versions of the browser.
Why it matters:
Although labeled as Medium severity with a CVSS score of 4.3, Chrome is the most widely used browser in the world, and many other browsers (like Edge, Brave, and Opera) are based on Chromium. By leaking cross-origin data, attackers can gain unauthorized access to user accounts or sensitive information. Developers are also urged to avoid placing sensitive data in URLs and to enforce strict referrer policies. Vulnerabilities like this, erode user trust and challenge the integrity of web security standards. Users who have disabled automatic updates or haven't restarted their browser recently should check for updates and apply them manually if needed.