Chrome users are advised to update their browser immediately to fix a critical vulnerability that is being exploited to launch account takeover attacks.
In some environments, this could even give attackers the ability to bypass multi-factor authentication (MFA).
The recently-reported vulnerability, one of four fixed in a Wednesday update, is tracked as CVE-2025-4664 and affects all versions of Chrome prior to version 136.0.7103.113.
Google’s advisory says very little about the flaw beyond stating, “Google is aware of reports that an exploit for CVE-2025-4664 exists in the wild.”
That explains the urgency of the fix being issued outside the normal update cycle, an ‘emergency patch’ if you like. These come along occasionally, and given the daily use of browsers, are always a priority for users and admins alike.
The vulnerability up close
The researcher who discovered the flaw, Vsevolod Kokorin of Neplox Security, offers a deeper dive on the issue in his post on X (formerly Twitter):
“Unlike other browsers, Chrome resolves the Link header on subresource requests. But what’s the problem? The issue is that the Link header can set a referrer-policy. We can specify unsafe-url and capture the full query parameters,” he wrote.
Link headers are used by websites to tell a browser about important page resources, for example, images, that it should preload. As part of the HTTP response that happens before the browser encounters any HTML, this accelerates response times. When the browser goes hunting for the resource, usually on a third-party server, it transmits a URL containing information about the requesting site, as allowed by the referrer-policy.
Unfortunately, in Chrome this URL can also include information with a bearing on security, such as OAuth flows used for authentication.
“Query parameters can contain sensitive data — for example, in OAuth flows, this might lead to an Account Takeover. Developers rarely consider the possibility of stealing query parameters via an image from a third party resource — which makes this trick surprisingly useful sometimes,” wrote Kokorin.
How could this be exploited?
OAuth provides a way of giving access to something without the need for a password. It’s useful in multiple scenarios, for example, in single sign-on (SSO). Users might also encounter it when giving a contact access to a file or document in a cloud service such as Microsoft 365 without passing on their account credentials.
Importantly, OAuth kicks in after MFA, which means that if an attacker can trick users into revealing their OAuth token in a URL, they can effectively bypass this control.
The flaw Kokorin discovered is that Chrome was including sensitive data such as this in its query parameters, making it a tempting target for an attacker able to lure someone to a bogus site where this data can be stolen.
Probably not coincidentally, recent weeks have seen a spate of sometimes elaborate attacks attempting to do just this, as documented by security vendors. These might or might not be related to the attacks Google talks about in its alert.
The Google update also mentions one other critical flaw, CVE-2025-4609, which, as far as the company knows, is not being exploited. The final two vulnerabilities are not itemized so are, presumably, less serious.
Enterprises looking to patch the vulnerability should look for versions 136.0.7103.113/.114 for Windows and Mac, and 136.0.7103.113 for Linux.
Enterprises should always triage this type of flaw carefully. They need to patch it quickly, but how quickly depends on the likelihood of their being targeted by the exploit.
That risk will currently be modest. However, given that the attackers most likely to be exploiting it are Russian, there is a risk it will spread to ransomware attacks fairly soon.
No Responses