Google’s security team has released a critical security update for Chrome browser to address a severe vulnerability (CVE-2025-4664) that could allow attackers to compromise user accounts through cross-origin request manipulation. The vulnerability, discovered in the browser’s resource loading mechanism, poses a significant risk to users’ authentication credentials, particularly in applications utilizing OAuth authentication flows.
Understanding the Technical Impact
Security researcher Vsevolod Kokorin from Solidlab identified a critical flaw in Chrome’s Loader component that fundamentally differs from other browsers’ implementation. The vulnerability stems from Chrome’s unique handling of the Link header during subresource requests, creating a security weakness that could be exploited through specially crafted HTML pages. Attackers can leverage the referrer-policy parameter set to unsafe-url to intercept sensitive request parameters, potentially compromising user security.
OAuth Authentication Systems at Risk
The vulnerability presents particular concerns for applications implementing OAuth authentication flows, where request parameter exposure could lead to complete account takeover. Security researchers emphasize that many web applications remain vulnerable due to developers’ oversight regarding potential parameter theft through external resource loading, especially through image elements hosted on malicious domains.
Security Patch Implementation
Google has deployed security fixes in Chrome versions 136.0.7103.113 (Windows/Linux) and 136.0.7103.114 (macOS). While no attacks exploiting this vulnerability have been confirmed in the wild, the existence of public proof-of-concept code significantly elevates the risk for unpatched systems. The automatic update mechanism has been activated to protect users, but manual verification is recommended.
Recommended Security Measures
Users should immediately verify their Chrome browser version and ensure the latest security patch is installed. This can be done by navigating to Chrome Settings and selecting “About Chrome.” Security experts recommend enabling automatic updates and regularly checking for pending updates to maintain optimal security posture. Developers should also review their applications’ authentication implementations to ensure proper protection against request parameter exposure.
The discovery of this vulnerability underscores the importance of prompt security updates and proper implementation of authentication mechanisms. Organizations utilizing OAuth authentication should conduct security audits to verify their implementations are not exposed to this type of attack vector. Regular security assessments and maintaining up-to-date browser versions remain crucial components of a robust cybersecurity strategy.
