Google patches actively exploited flaw in Chrome used for account takeover and MFA bypass
Take action: This one is urgent. Google patched an actively exploited flaw in Chrome, and exploitation is just a visit to a malicious site. DONT WAIT! Patch all your Chrome and Chromium browsers (Edge, Opera, Brave, Vivaldi). Updating the browser is easy, all your tabs reopen after the patch.
Learn More
Google has released an emergency update to address multiple vulnerabilities in the Chrome web browser, including a flaw that is actively being exploited in the wild that could lead to complete account takeover and bypass multi-factor authentication (MFA).
Security fixes in this update include:
- CVE-2025-4664 (CVSS score 4.3, Google scored as High Severity): Insufficient policy enforcement in Loader.
- CVE-2025-4609 (No CVSS score, Google scored as High Severity): Incorrect handle provided in unspecified circumstances in Mojo.
- Two additional security fixes that were not individually detailed in Google's advisory
The actively exploited flaw is tracked as CVE-2025-4664 (CVSS score 4.3), an insufficient policy enforcement issue in Chrome's Loader component that allows remote attackers to leak cross-origin data through maliciously crafted HTML pages. The problem is that the Link header can set a referrer-policy to "unsafe-url" and capture the full query parameters.
CISA also warned U.S. federal agencies to secure their systems against this flaw flagging it as actively exploted.
How the exploit works
The flaw exploits a unique behavior in how Google's browser handles Link headers in HTTP responses. Unlike other browsers, Chrome processes these headers during subresource requests (like loading images) and allows them to set referrer policies to "unsafe-url," which forces the browser to include the complete URL—including all sensitive query parameters—when making cross-origin requests.
Attackers can exploit this by creating malicious webpages that, when visited, set this unsafe referrer policy and load resources from their server, causing Chrome to send the full URL with all query parameters to the attacker's server. This is particularly dangerous for OAuth authentication flows, where sensitive access tokens are often passed as query parameters after a user logs in. Since these tokens are issued after multi-factor authentication is completed, stealing them effectively bypasses MFA security measures and grants attackers full account access. Developers rarely anticipate query parameters being leaked through image requests to third-party resources, making many websites vulnerable to this attack vector.
Google's advisory states, "Google is aware of reports that an exploit for CVE-2025-4664 exists in the wild," which typically indicates active exploitation. The exact number of affected users and the financial impact of these exploits have not been disclosed.
All versions of Chrome prior to version 136.0.7103.113 are affected by this vulnerability.
Google has patched this vulnerability in their latest release issued on Wednesday, May 14, 2025 in:
- Chrome 136.0.7103.113 for Windows and Linux
- Chrome 136.0.7103.114 for macOS
Microsoft has also released Microsoft Edge version 136.0.3240.76 to patch the same flaws.
Users and administrators are strongly advised to update their Chrome browsers immediately. The updates will roll out over the coming days and weeks, but they are immediately available when manually checking for updates.
