Chrome: Insufficient policy enforcement in Loader in Google Chrome (CVE-2025-4664) #shorts
Summary
Welcome to Security Brief, I’m your host. Today we’re diving into CVE-2025-4664, a high-severity Chrome vulnerability that’s already being exploited in the wild. The U.S. Cybersecurity and Infrastructure Security Agency confirmed active exploitation, and Google rushed out an update to patch this zero-day. We’ll break down what’s at stake and what you need to do to stay safe.
Product details
This issue affects Google Chrome versions prior to 136.0.7103.113 on desktop platforms. It was discovered in the Loader component of Chromium’s rendering engine. Google released a patched build 136.0.7103.113, and major Linux distributions such as Fedora have pushed updates that include this fix alongside other critical patches.
Vulnerability type summary
CVE-2025-4664 is classified as insufficient policy enforcement. In plain terms, Chrome’s same-origin protections failed under specific conditions, allowing a malicious page to bypass security policies and read data from another origin. Chromium’s security team rates this flaw as high severity due to the potential for sensitive data leakage.
Details of the vulnerability
Under certain circumstances, a crafted HTML page can manipulate the Loader’s policy checks to access cross-origin resources. An attacker hosting that page could trick a user into visiting it, then silently extract data from other sites the user is signed into. Because the exploit works without any user interaction beyond loading the page, detection can be difficult. CISA has confirmed real-world attacks, making prompt updates essential.
Conclusion
That wraps our deep dive into CVE-2025-4664. If you’re running Chrome, update to version 136.0.7103.113 or later immediately. Linux users should pull the latest distro patches, and everyone should remain vigilant for unexpected browser behavior. Thanks for listening to Security Brief—stay secure, and we’ll see you next time.
Watch the full video on YouTube: CVE-2025-4664
Remediation and exploitation details
This chain involves the following actors
- Attacker: Remote adversary seeking to exfiltrate data across origins
- End User: User running a vulnerable version of Google Chrome
This following systems are involved
- Google Chrome (Render and execute web content): Contains a loader component with insufficient policy enforcement
Attack entry point
- Crafted HTML page: A web page designed to invoke the flawed loader and bypass origin checks
Remediation actions
Exploitation actions
Loader policy bypass
- Define script or resource tags that point to protected endpoints on other domains
- Embed directives that instruct the loader to fetch these cross-origin resources without proper checks
Social engineering or third-party hosting
- Send the link via email or messaging service
- Host the page on a compromised or attacker-controlled website
Invoke loader component with crafted resource references
- Insert dynamic script elements that reference data from another origin
- Use image or style tags that force a fetch from a protected domain
Stealth exfiltration
- Read the response payload from the other domain
- Use an allowed channel to transmit the harvested data to the attacker server
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html
- https://issues.chromium.org/issues/415810136
- [2025-05-18] Fedora 42 update resolves critical issues in Chromium 136.0.7103.113, including CVE-2025-4664 and CVE-2025-4609.
- [2025-05-15] Google releases Chrome update to fix zero-day vulnerability actively exploited in the wild.
- [2025-05-16] CISA confirms exploitation of recently fixed Chrome vulnerability CVE-2025-4664 in the wild.