Google Fixed Critical Chrome Vulnerability That Could Lead to Full Account Takeover

Google has released emergency security updates to address a critical Chrome browser vulnerability that could lead to full account takeover. The vulnerability, tracked as CVE-2025-4664, was discovered by security researcher Vsevolod Kokorin (@slonser_) and stems from an insufficient policy enforcement in Loader in Google Chrome prior to version 136.0.7103.113.

A remote attacker could trigger the flaw to leak cross-origin data via a crafted HTML page, which poses a significant risk to user accounts, especially those involved in OAuth flows. This means that sensitive query parameters, such as those used in authentication processes, could be compromised, potentially leading to account takeover attacks.

The Flaw: A Surprising Vulnerability

Developers rarely consider the possibility of stealing query parameters via an image from a third-party resource, making this trick surprisingly useful at times. This oversight highlights the importance of thorough security testing and vulnerability assessments in software development.

Patch Released by Google

Another High-Severity Vulnerability Addressed

In March 2025, Google released out-of-band fixes to address another high-severity security vulnerability, tracked as CVE-2025-2783, in Chrome browser for Windows. The flaw was actively exploited in attacks targeting organizations in Russia.

Mojo Vulnerability: A S sandbox Escapes and Privilege Escalation

The vulnerability is an incorrect handle provided in unspecified circumstances in Mojo on Windows. Kaspersky researchers Boris Larin (@oct0xor) and Igor Kuznetsov (@2igosha) reported the vulnerability on March 20, 2025. Mojo is Google's IPC library for Chromium-based browsers, managing sandboxed processes for secure communication.

Google's Response to the Vulnerability

“Google is aware of reports that an exploit for CVE-2025-2783 exists in the wild,” reads the advisory published by Google. “The Stable channel has been updated to 134.0.6998.177/.178 for Windows, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log.”

Google did not share details about the attacks that exploited this vulnerability or the identity of the threat actors behind them.

Stay Safe Online

As with any security update, it's essential to stay vigilant and keep your software up-to-date. Regularly updating your browser and other software can help prevent exploitation of vulnerabilities like CVE-2025-4664 and CVE-2025-2783.

Follow Us for the Latest Security News

Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest security news and updates.