Google Chrome data leakage bug confirmed as actively exploited
a year ago
- #Chrome Vulnerability
- #OAuth
- #Cybersecurity
- A Google Chrome vulnerability (CVE-2025-4664) allowing OAuth code leaks was added to CISA's Known Exploited Vulnerabilities catalog.
- The flaw involves insufficient policy enforcement in Chrome's Loader, enabling attackers to capture full query parameters via manipulated referrer-policy.
- Discovered by researcher Vsevolod Kokorin, the vulnerability can be exploited via malicious HTML pages or third-party resources.
- Query parameters may contain sensitive data like OAuth codes, risking account takeover.
- Fixed in Chrome version 136.0.7103.113, it has a medium CVSS score (4.3) but high severity per Google.
- Federal agencies must patch by June 5, 2025, as active exploitation is confirmed.
- CISA also added DrayTek router (CVE-2024-12987) and SAP NetWeaver (CVE-2025-42999) flaws to the KEV catalog.
- Previously, Chrome's sandbox escape zero-day (CVE-2025-2783) was listed in March.