The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-4664 to its Known Exploited Vulnerabilities Catalog as the vulnerability is actively exploited in the wild in attacks.
This high-severity issue in Google Chromium involves insufficient policy enforcement in the Loader component, enabling remote attackers to leak cross-origin data via crafted HTML pages. It is actively exploited, posing risks to users worldwide.
This vulnerability affects Google Chromium, the foundation for browsers like Google Chrome, Microsoft Edge, and Opera.
.png
)
CISA urges users to follow Google’s patch instructions, updating to the latest Chrome versions: 136.0.7103.113/.114 for Windows and Mac, and 136.0.7103.113 for Linux.
If patches are unavailable, consider discontinuing use and follow BOD 22-01 guidance for cloud services. The deadline for mitigations is June 5, 2025.
The analysis covers the vulnerability’s nature, impact, mitigation strategies, and contextual details, aiming to inform users and organizations about the risks and necessary actions.
Vulnerability Details
CVE-2025-4664 is classified as an insufficient policy enforcement vulnerability in the Chromium Loader component. This flaw allows a remote attacker to leak cross-origin data via a crafted HTML page, bypassing security policies. It is related to CWE-346, indicating a broader category of policy enforcement issues.
The vulnerability stems from an incorrect handle provided under unspecified circumstances in Chrome’s Mojo Inter-Process Communication (IPC) layer, potentially leading to unauthorized code execution or sandbox escape.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-4664 |
| Severity | High |
| Description | Insufficient policy enforcement in Loader, enabling cross-origin data leak |
| Affected Component | Chromium Loader (Mojo IPC layer) |
| Exploitation Status | Actively exploited in the wild, confirmed by Google |
| Related CWE | CWE-346 (Insufficient Policy Enforcement) |
| Reported By | @slonser_ via X post, additional report by researcher Micky on April 22, 2025 |
The vulnerability poses significant risks, including unauthorized data leakage across web origins, which could compromise user privacy and security.
Given its classification as a zero-day flaw, it was exploited before Google released the patch, heightening the urgency for mitigation.
While the specific use in ransomware campaigns remains unknown, the active exploitation suggests potential for severe impacts, such as privilege escalation or memory corruption in Chrome’s multi-process architecture.
Mitigation Strategies and Timeline
Google responded by rolling out a Stable Channel update for Chrome on May 15, 2025, addressing the vulnerability across desktop platforms (Windows, Mac, and Linux). Users are advised to update to the following versions:
- Windows and Mac: 136.0.7103.113/.114
- Linux: 136.0.7103.113
CISA recommends applying mitigations per vendor instructions, following applicable BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable.
The due date for these actions is June 5, 2025, providing a window of approximately three weeks from the date of addition to the KEV catalog.
Users and administrators are strongly encouraged to:
- Immediately update Google Chrome to the latest stable channel versions to mitigate the vulnerability.
- Monitor systems for signs of compromise, especially given the active exploitation.
- Follow CISA’s guidance, including BOD 22-01 for cloud service providers, to ensure comprehensive vulnerability management.
- Stay informed through official channels, such as CISA Catalog and Google Release Blog, for updates on security advisories.
For organizations, implementing automated patching solutions can enhance response times and reduce exposure to such vulnerabilities. Regular security assessments and user education on safe browsing practices are also recommended to mitigate risks.
How to Discover Vulnerable External Assets Associated with a Domain or an IP? -> Try Cyber Asset Finder for Free
