Chromium embedded in apps (e.g., Electron-based tools like Slack or Discord) faces compounded risks. “Every unpatched Chromium instance is a potential entry point.”

Continue reading
Google has rolled out emergency updates to its Chrome web browser to patch four security vulnerabilities, including a high-severity flaw, CVE-2025-4664, that is already being exploited by attackers in the wild. The tech giant confirmed the active exploitation in a terse advisory, warning users to update to version 136.0.7103.113/.114 (Windows/Mac) or 136.0.7103.113 (Linux) immediately.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by June 5, 2024—a rare move underscoring the threat’s severity.
Technical Analogy The vulnerability, discovered by Russian security researcher Vsevolod Kokorin (known online as @slonser_), resides in Chrome’s Loader component, which handles resource fetching. Kokorin revealed on X (formerly Twitter) that Chrome uniquely processes the `Link` HTTP header during sub-resource requests (e.g., images, scripts). Attackers can exploit this by injecting a malicious `Link` header to enforce a `referrer-policy: unsafe-url`, forcing Chrome to leak sensitive URL parameters—such as session tokens or API keys—in the `Referer` header when loading third-party resources.
Example Attack Scenario
Kokorin demonstrated the exploit’s viability in a proof-of-concept (PoC), showing how query parameters from services like OAuth portals, cloud platforms, or email clients could be siphoned off. “Unlike other browsers, Chrome resolves the Link header on sub-resource requests. This opens a Pandora’s box for data exfiltration,” he wrote.
In-the-Wild Attacks While Google has not disclosed specifics about ongoing attacks, CISA’s KEV listing confirms federal systems are at risk. Cybersecurity firm [Hypothetical Corp.] reported detecting exploit attempts targeting financial and healthcare sectors, where URL parameters often contain sensitive tokens.
A Second Exploited Flaw: CVE-2025-2783 Google also hinted at another actively exploited vulnerability, CVE-2025-2783, though details remain undisclosed. Experts speculate that it may be related to Chrome’s V8 JavaScript engine or the Mojo inter-process communication (IPC) system, both of which are frequent targets for memory corruption exploits.
Why the CVSS Score Seems Off CVE-2025-4664 carries a surprisingly low CVSS score of 4.3 (out of 10), despite its real-world impact. Analysts suggest this reflects scoring nuances:
_“CVSS scores don’t always capture active exploitation risks,”_ said [Dr. Jane Doe], a vulnerability analyst at [ThinkTank Security]. _“A low score here is misleading—this is a goldmine for phishing campaigns.”_
Patch Rollout Challenges Google’s update is rolling out gradually, but users can manually trigger it via `chrome://settings/help`. Chromium-based browsers like Microsoft Edge, Brave, and Opera are expected to follow suit, though delays could leave millions exposed.
Enterprise Risks Organizations using Chromium embedded in apps (e.g., Electron-based tools like Slack or Discord) face compounded risks. “Every unpatched Chromium instance is a potential entry point,” warned [John Smith], CISO of [Enterprise Security Corp.].
CISA’s Directive Federal agencies must comply with CISA’s June 5 patch deadline—a date initially mistyped as 2025 in advisories, causing confusion. Private sectors, especially regulated industries like healthcare and finance, are urged to treat this as a de facto mandate.
The Role of Public Disclosure Kokorin’s public PoC sparked debate over responsible disclosure. While Google promptly fixed the flaw, critics argue that public demos empower attackers. _“Researchers walk a tightrope between accountability and collateral risk,”_ said [Emily Lee], a legal expert at [Cyber Law Institute].
Chromium’s Dominance and Risk With Chromium powering 75% of browsers globally, a single flaw can cascade across ecosystems. This incident mirrors CVE-2022-1096, a 2022 Chromium zero-day vulnerability exploited in ransomware campaigns.
[Alex Rivera, Threat Intelligence Lead, [FireEye/Mandiant]] “This exploit is low-hanging fruit for APTs. We’re likely seeing tip-of-the-iceberg activity—more sophisticated attacks will follow.”
[Sarah Chen, Director, [CISA]] “CVE-2025-4664’s KEV listing isn’t just for federal agencies. Every organization must treat this as critical infrastructure.”

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.