On Thursday, CISA warned U.S. federal agencies to secure their systems against ongoing attacks exploiting a high-severity vulnerability in the Chrome web browser.

Solidlab security researcher Vsevolod Kokorin discovered the flaw (CVE-2025-4664) and shared technical details online on May 5th. Google released security updates to patch it on Wednesday.

As Kokorin explained, the vulnerability is due to insufficient policy enforcement in Google Chrome’s Loader component, and successful exploitation can allow remote attackers to leak cross-origin data via maliciously crafted HTML pages.

“You probably know that unlike other browsers, Chrome resolves the Link header on subresource requests. But what’s the problem? The issue is that the Link header can set a referrer-policy. We can specify unsafe-url and capture the full query parameters,” Kokorin noted.

“Query parameters can contain sensitive data – for example, in OAuth flows, this might lead to an Account Takeover. Developers rarely consider the possibility of stealing query parameters via an image from a 3rd-party resource.”

While Google didn’t disclose if the vulnerability was previously abused in attacks or if it’s still being exploited, it warned in a security advisory that it has a public exploit, which is how it usually hints at active exploitation.

Flagged as actively exploited

One day later, CISA confirmed CVE-2025-4664 is being abused in the wild and added it to the Known Exploited Vulnerabilities catalog, which lists security flaws actively exploited in attacks.

As mandated by the November 2021 Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies must patch their Chrome installation within three weeks, by May 7th, to secure their systems against potential breaches.

While this directive only applies to federal agencies, all network defenders are advised to prioritize patching this vulnerability as soon as possible.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the cybersecurity agency warned.

This is the second actively exploited Chrome zero-day patched by Google this year, after another high-severity Chrome zero-day bug (CVE-2025-2783), which was abused to target Russian government organizations, media outlets, and educational institutions in cyber-espionage attacks.

Kaspersky researchers who spotted the zero-day attacks said that the threat actors used CVE-2025-2783 exploits to bypass Google Chrome’s sandbox protections and infect targets with malware.