Google has addressed a high-severity vulnerability in its Chrome browser, identified as CVE-2025-4664, which was reportedly being exploited by attackers in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed the exploitation of this flaw by adding it to its Known Exploited Vulnerabilities catalog. The update was pushed out on Wednesday following the alert about the existence of the vulnerability.
CVE-2025-4664 arises from insufficient policy enforcement within Google Chrome’s Loader. This vulnerability enables attackers to exploit the browser in such a manner that it leaks cross-origin data, potentially allowing them to take over user accounts. The flaw can be triggered via a specially crafted HTML page, affecting Chrome versions prior to v136.0.7103.113/.114 across Windows, macOS, and Linux platforms.
Google acknowledged that awareness of CVE-2025-4664 had been circulating publicly since May 5, 2025. However, the company’s language left it ambiguous whether the flaw had already been exploited until CISA’s confirmation. Security researcher Vsevolod Kokorin contributed insights into the vulnerability, explaining how specific header configurations could make sensitive data, such as OAuth query parameters, susceptible to theft through third-party resources.
As CISA’s inclusion of the vulnerability in its catalog signifies an urgent need for action, agencies within the civilian US federal government are mandated to mitigate this flaw by July 5, 2025. Nonetheless, organizations in the private sector are also urged to prioritize updates to their Chrome browsers. Users who opt for manual updates can do so by closing all open Chrome windows and reopening the browser, while those with automatic updates enabled will see the update applied automatically. Additional updates addressing CVE-2025-4664 have also been released for Microsoft Edge and are expected to be deployed across other Chromium-based browsers such as Opera and Brave.