CVE-2025-4664: 
vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-4664) was identified in Google Chrome versions prior to 136.0.7103.113. The vulnerability is characterized by insufficient policy enforcement in the Chrome Loader component, which allows remote attackers to leak cross-origin data through crafted HTML pages (NVD, Chrome Release).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. This indicates that the vulnerability can be exploited remotely, requires low attack complexity, needs no privileges, but does require user interaction. The scope is unchanged, with low confidentiality impact and no impact on integrity or availability (NVD).

The vulnerability enables cross-origin data leakage, which could potentially expose sensitive information from different origins when a user interacts with a specially crafted HTML page. Google has classified this as a High severity security issue (Chrome Release).

Google has released version 136.0.7103.113/.114 for Windows and Mac, and version 136.0.7103.113 for Linux to address this vulnerability. Users are strongly advised to update their Chrome browsers to these versions or later. CISA has added this vulnerability to their Known Exploited Vulnerabilities Catalog with a remediation due date of June 5, 2025 (CISA Alert).

The vulnerability has gained significant attention from security organizations, with CISA adding it to their Known Exploited Vulnerabilities Catalog on May 15, 2025. The initial discovery was made through social media, specifically on X platform, highlighting the role of the security research community in vulnerability identification (CISA Alert, Chrome Release).