Back to KEVs

CVE-2025-4664

Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a...

Basic Information

CVE State
PUBLISHED
Reserved Date
May 13, 2025
Published Date
May 14, 2025
Last Updated
June 05, 2025
Vendor
Google
Product
Chrome
Description
Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Notes
The original Chrome advisory states: "Google is aware of reports that an exploit for CVE-2025-4664 exists in the wild." This is not a clear indication that it has been exploited in the wild, just that an exploit is thought to exist. Added to KEVIntel to err on the side of caution.
Tags
cisa

CVSS Scores

CVSS v3.1

4.3 - MEDIUM

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

EPSS Score

Score
0.06% (Percentile: 20.01%) as of 2025-06-13

SSVC Information

Exploitation
none
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (2025-05-15 11:15:21 UTC) Source

References

https://chromereleases.googleblog.com/2025/05/stable-channel-update-for-desktop_14.html https://issues.chromium.org/issues/415810136

Known Exploited Vulnerability Information

Source Added Date
CyberInsider 2025-05-15 11:15:14 UTC

Recent Mentions

CISA Adds Three Known Exploited Vulnerabilities to Catalog

Source: All CISA Advisories • Published: 2025-05-15 12:00:00 UTC

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.  CVE-2024-12987 DrayTek Vigor Routers OS Command Injection Vulnerability CVE-2025-4664 Google Chromium Loader Insufficient Policy Enforcement Vulnerability CVE-2025-42999 SAP NetWeaver Deserialization Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.  Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.  Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

Google Patches Actively Exploited Chrome Flaw Allowing Cross-Origin Data Leaks

Source: CyberInsider • Published: 2025-05-15 11:06:41 UTC

Google has issued a security update for Chrome's Stable channel, addressing a high-severity vulnerability in Chrome's Loader component that has been actively exploited in the wild. The flaw, tracked under CVE-2025-4664, was publicly disclosed by security researcher ‘@slonser_‘ on May 5, 2025, through a series of technical posts on X. The exploit technique, which was … The post Google Patches Actively Exploited Chrome Flaw Allowing Cross-Origin Data Leaks appeared first on CyberInsider.

New Chrome Vulnerability Enables Cross-Origin Data Leak via Loader Referrer Policy

Source: TheHackerNews • Published: 2025-05-15 06:15:00 UTC

Google on Wednesday released updates to address four security issues in its Chrome web browser, including one for which it said there exists an exploit in the wild. The high-severity vulnerability, tracked as CVE-2025-4664 (CVSS score: 4.3), has been characterized as a case of insufficient policy enforcement in a component called Loader. "Insufficient policy enforcement in Loader in Google

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel