Google has urged users to immediately update their Chrome browser due to a high-level vulnerability that allows remote attackers to steal sensitive data from other sites.
Google has urged users to immediately update their Chrome browser due to a high-level vulnerability that allows remote attackers to steal sensitive data from other sites.
According to The Hacker News, Google released Chrome versions 136.0.7103.113 (Windows, macOS) and 136.0.7103.113 (Linux) on May 8, which patch four critical and high vulnerabilities. The most serious of them — CVE-2025-4664 (CVSS 4.3) — concerns the Loader component and is related to insufficient compliance with the Referrer policy when processing subresources.
The attack works by creating a specially crafted HTML page containing a subrequest with a Link header that sets the Referrer-Policy to unsafe-url. Because Chrome applies the header to subresources (for example, when loading images), the malicious code can obtain the full URL with query parameters — often containing tokens, session IDs, or other sensitive data.
Google confirms that «an exploit for CVE-2025-4664 already exists in the wild,» so it’s not possible to delay the update. Other fixes in Chrome concern incorrect handling of specific JavaScript scripts and errors in the implementation of network requests.
Last year, Chrome faced several critical bugs in its handling of security policies, including CORS and Content Security Policy headers. The complexity of the modern web and the constant development of exploit techniques force developers to regularly update both the browser core and HTTP header inspection mechanisms.
It is worth noting that there is a possibility that Chrome itself could be separated from Google as part of a case currently pending in a US federal court. After another court hearing, OpenAI’s ChatGPT product manager Nick Turley said that their company would not mind acquiring the browser.
