Chrome Loader Policy Flaw Enables Cross-Origin Data Leaks

Google has issued urgent security updates for its Chrome web browser to address four newly discovered vulnerabilities, one of which — CVE-2025-4664 — is being actively exploited in the wild. This critical flaw, involving the Chrome Loader component, enables cross-origin data leakage via misused Referrer-Policy headers. Security researchers are warning that this subtle but serious vulnerability could expose sensitive user information and facilitate full account takeovers under specific circumstances.

📌 What Is CVE-2025-4664?

CVE-2025-4664 is a high-severity vulnerability (CVSS 4.3) caused by insufficient policy enforcement in the Loader module of Chrome. This module processes and manages how resources like images and scripts are loaded on web pages.

In affected versions (prior to Chrome 136.0.7103.113), a specially crafted HTML page can exploit a loophole in the way Chrome handles Link headers and referrer-policy settings. This behavior enables attackers to bypass same-origin protections and extract data from cross-origin requests — violating fundamental browser security principles.

🧪 How the Exploit Works

The flaw was publicly disclosed by security researcher Vsevolod Kokorin (@slonser_), who also released a proof-of-concept (PoC) on X (formerly Twitter) on May 5, 2025. The attack revolves around the abuse of Chrome’s unique behavior:

“Unlike other browsers, Chrome resolves the Link header on sub-resource requests. The issue is that the Link header can set a referrer-policy. We can specify unsafe-url and capture the full query parameters,” Kokorin explained.

This is highly problematic because:

• Sensitive data like access tokens, email addresses, or session IDs are often passed in URL query parameters.
• An attacker can trigger a cross-origin request (e.g., an image request) and force Chrome to leak the full referrer, including sensitive query strings.
• This referrer leakage can then be captured and sent to an attacker-controlled server.

Thus, under specific conditions, a malicious site can exfiltrate sensitive user data without interaction or elevated privileges.

🧑‍💻 What Data Can Be Leaked?

According to the researcher, potential data leakage includes:

• Authentication tokens in OAuth redirects
• User identifiers
• Session tokens or tracking information
• Sensitive search queries
• Potentially, single sign-on (SSO) tokens — which could lead to full account takeover

This kind of vulnerability falls under the cross-origin information disclosure category and can be particularly dangerous for applications that use URL-based authentication mechanisms or rely heavily on client-side routing.

🔥 Exploitation in the Wild

Google confirmed that an exploit for CVE-2025-4664 is already active in the wild but did not specify the scope or attribution of the campaign. At this time, it is unclear if the exploit has been weaponized beyond security research and proof-of-concept demonstrations.

Nevertheless, the fact that this vulnerability is being exploited means users and organizations must treat it as high priority.

🛡️ Who Is Affected?

The following Chrome versions are vulnerable:

• Chrome for Windows and Mac: versions prior to 136.0.7103.113/.114
• Chrome for Linux: versions prior to 136.0.7103.113

Also potentially affected are other Chromium-based browsers, including:

• Microsoft Edge
• Brave
• Vivaldi
• Opera

These browsers often share Chrome’s rendering and network stack, and will require independent vendor patches.

⚙️ Mitigation and Update Guidance

To protect yourself:

1. Update Chrome immediately to:
   • 136.0.7103.113/.114 (Windows & macOS)
   • 136.0.7103.113 (Linux)
2. Verify auto-updates are enabled in Chrome:
   • Go to chrome://settings/help to trigger an update check.
3. Monitor vendor announcements for Chromium-based browsers and apply updates as released.
4. Security teams should:
   • Review CSP and Referrer-Policy settings across critical domains
   • Avoid passing sensitive data in URLs
   • Consider tools to detect suspicious referrer behavior

💡 Lessons for Developers and Security Teams

CVE-2025-4664 highlights the complex interplay between HTTP headers, browser behavior, and cross-origin policies. This is a reminder that even industry-standard security headers can become a vector if misapplied or if browser implementations deviate from the norm.

Key takeaways:

• Avoid using unsafe-url as a referrer-policy.
• Sanitize and limit the use of sensitive data in query parameters.
• Regularly test application behavior against evolving browser implementations.

🔍 Looking Ahead

As the browser landscape evolves and modern applications become more reliant on third-party integrations, cross-origin vulnerabilities will remain a prime target for attackers. The disclosure of CVE-2025-4664 underscores the importance of community-driven research, prompt vendor patching, and proactive security hygiene.

Stay alert, patch early, and never underestimate the potential for small behavioral quirks to lead to large-scale exploits.