CVE-2025-4664: 
vulnerability analysis and mitigation

A high-severity vulnerability (CVE-2025-4664) was identified in Google Chrome's Loader component affecting versions prior to 136.0.7103.113. The vulnerability was discovered on May 5, 2025, and publicly disclosed on May 14, 2025. This security flaw involves insufficient policy enforcement in the Chrome Loader, which could allow remote attackers to leak cross-origin data through specially crafted HTML pages (Chrome Release, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. This scoring indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction. The impact is primarily limited to confidentiality, with no effects on integrity or availability (NVD).

The vulnerability allows attackers to leak cross-origin data, potentially exposing sensitive information from different origins than intended. This cross-origin data leak could compromise user privacy and lead to unauthorized access to sensitive information (Chrome Release).

Google has released version 136.0.7103.113/.114 for Windows and Mac, and version 136.0.7103.113 for Linux to address this vulnerability. Users are strongly advised to update their Chrome browsers to these versions or later. CISA has set a deadline of June 5, 2025, for federal agencies to apply the vendor-provided fixes (Chrome Release, CISA Alert).