A new high-severity cross-site scripting vulnerability recently discovered (CVE-2025-4664) in Google Chrome has users worrying about the safety of their personal data. The second flaw, with a CVSS score of 4.3, shows a lack of policy enforcement within a component called Loader. While security researcher Vsevolod Kokorin was the first to publicly report the existence of the vulnerability on May 5, 2025 through an X (formerly Twitter) post. Being only the second vulnerability to receive a CISA hack of the week flag for active exploitation in the wild, CVE-2025-4664 represents a clear and present danger to users.
Google has since confirmed that an exploit for this vulnerability exists and is working to patch the vulnerability. The tech giant commended Kokorin for his in-depth report on the vulnerability. This vulnerability allows attackers to retrieve any sensitive information using an arbitrary string combination as query parameters, including the ability to perform full account takeovers.
Details of the Vulnerability
CVE-2023-30767 uniquely defined due to its lack of enforcement policies in the Loader component of Chrome. Successful exploitation of the vulnerability enables attackers to leak cross-origin data through a specially-crafted HTML page. This loophole is how data brokers can expose sensitive user data like health information without permission. It predominantly happens through query string parameters that often carry sensitive data.
“Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page.” – CVE description
Kokorin noted specific browser behaviors that exacerbate the issue: “Unlike other browsers, Chrome resolves the Link header on sub-resource requests.” This trait makes Chrome behave differently than its competitors on request lifecycle. More concerning, it puts Americans more at risk of a data leak because of this newly identified flaw.
Exploitation and Risks
CVE-2025-4664 causes matters of great concern. This is now the second such vulnerability that reports have indicated is currently being exploited in the wild. Hot on the heels of CVE-2025-2783, this vulnerability is dangerous. CVE-2025-2871 directly threatens user security and privacy by sounding the alarm on possible data leaks.
Further, Google is aware that an exploit for this vulnerability is already out there in the wild. This represents an ongoing and pressing danger to Chrome users’ security. A proof-of-concept (PoC) demonstration further illustrated the exploit’s functionality. It remains to be seen whether anybody has intentionally taken advantage of this weakness in practice.
Users heavily rely on browsers to get through their daily lives. This extreme dependence worsens the chances of query parameter sensitive information getting compromised via pictures obtained from outside resources. These kinds of attacks might allow attackers to gain access to private accounts and information.
Response and Remediation
Google told us it would provide a patch soon after. This update will mitigate the dangers associated with CVE-2025-4664. Keep your eyes peeled and ensure that you are running the latest version of your browser! Taking this step now will go a long way in protecting you from future exploits.
The cyber vulnerabilities reported are growing at a staggering rate. For users and developers both, security should be at the top of everyone’s mind today. Regular monitoring and quick reporting of these kinds of gaps are central in keeping our online world safe from the good to the bad.