CVE-2025-4664 in Chrome
Summary
by MITRE • 05/14/2025
Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/14/2025
The vulnerability identified as CVE-2025-4664 represents a critical security flaw in Google Chrome's loader component that existed prior to version 136.0.7103.113. This issue stems from insufficient policy enforcement mechanisms within the browser's loading infrastructure, creating a pathway for remote attackers to exploit cross-origin data leakage. The vulnerability operates at a fundamental level of web browser security architecture where proper isolation between different origins should be maintained but fails to do so effectively.
The technical implementation of this vulnerability occurs within the loader subsystem of Chrome, which is responsible for managing the loading and execution of web resources. When processing a crafted HTML page, the loader fails to properly enforce same-origin policies that should prevent unauthorized access to resources from different origins. This weakness allows attackers to construct malicious web pages that can traverse origin boundaries and access sensitive data that should remain isolated. The flaw essentially undermines the core security model that browsers implement to protect users from cross-site scripting and data leakage attacks. The Chromium security severity rating of High indicates the significant risk this vulnerability poses to user privacy and data integrity.
Operationally, this vulnerability enables remote attackers to conduct sophisticated cross-origin data exfiltration attacks without requiring local system access or user interaction beyond visiting a malicious webpage. The impact extends beyond simple information disclosure to potentially expose user credentials, personal data, session tokens, and other sensitive information that applications might store or process across different origins. Attackers can leverage this vulnerability to build targeted campaigns against specific users or organizations, particularly when combined with other exploitation techniques or social engineering elements. The remote nature of the attack means that victims can be compromised simply by viewing a malicious webpage, making this vulnerability particularly dangerous in phishing campaigns or compromised website scenarios.
Mitigation strategies for CVE-2025-4664 should prioritize immediate patching of affected Chrome versions to 136.0.7103.113 or later, which contains the necessary policy enforcement fixes. Organizations should also implement network-level protections such as content filtering systems and web application firewalls that can detect and block known malicious patterns associated with cross-origin data leakage attempts. Browser security teams should consider implementing additional sandboxing measures and stricter origin validation checks within the loader component. The vulnerability aligns with CWE-693, which addresses Protection Mechanism Failure, and maps to ATT&CK technique T1566 for initial access through malicious content. Users should maintain awareness of suspicious web content and ensure their browser software remains updated with the latest security patches to prevent exploitation of such loader-based vulnerabilities.