Back to news
Billions of Chrome users at risk from new data-stealing browser vulnerability - here's how to stay safe
@Source: techradar.com
Skip to main content
Tech Radar Pro
Tech Radar Gaming
Tech Radar Pro
TechRadar the business technology experts
Search TechRadar
View Profile
België (Nederlands)
Deutschland
North America
US (English)
Australasia
New Zealand
Expert Insights
Website builders
Web hosting
Best website builder
Best web hosting
Best office chairs
Best antivirus
Expert Insights
Recommended reading
Google Chrome security flaw could have let hackers spy on all your online habits
Chrome patched this bug, but CISA says it's still actively exploited
Firefox patches zero-day security flaw days after Chrome fixes the same issue
75 zero-day exploitations spotted by Google, governments increasingly responsible for attacks
Thousands of businesses at risk worldwide as new data exfiltration technique uncovered - here's what you need to know
Ancient flaw that allowed hackers to view your Chrome browser history has finally been patched, so update now
Millions of Google Chrome users could be at risk from these dodgy extensions
Billions of Chrome users at risk from new data-stealing browser vulnerability - here's how to stay safe
Efosa Udinmwen
3 June 2025
Chromium users on Debian remain vulnerable, with no fix yet
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
Image Credit: Pixabay
(Image credit: Getty Images)
Google Chrome’s unique handling of referrer-policy creates a major loophole for silent data siphoning
CVE-2025-4664 proves even trusted browsers are not immune to catastrophic zero-day vulnerabilities
Cross-origin data is up for grabs if you haven't updated Chrome or Chromium
A newly uncovered zero-day vulnerability which affects both Windows and Linux systems could put billions of Google Chrome and Chromium users at serious risk of data theft, experts have warned.
Researchers from Wazuh claim this flaw - tracked as CVE-2025-4664 - has already drawn urgent attention due to its ability to leak sensitive cross-origin data such as OAuth tokens and session identifiers without user interaction.
The flaw, identified in the Loader component of Chrome and Chromium browsers, relates to how these browsers process the Link HTTP header for sub-resource requests like images or scripts.
You may like
Google Chrome security flaw could have let hackers spy on all your online habits
Chrome patched this bug, but CISA says it's still actively exploited
Firefox patches zero-day security flaw days after Chrome fixes the same issue
Chrome opening the door to data leaks
Unlike other mainstream browsers, Chrome honors the referrer-policy directive even on sub-resources.
This behavior allows a malicious site to inject a lax policy, such as unsafe-url, effectively leaking full URLs, including sensitive data, to third-party domains.
This kind of exploit bypasses conventional browser defenses and directly undermines common security assumptions in web infrastructure.
Wazuh claims it can detect and mitigate this flaw via its Wazuh Vulnerability Detection module, which uses data from its Cyber Threat Intelligence (CTI) service to monitor software versions and raise alerts when vulnerable packages are found.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
In a lab environment set up using Wazuh OVA 4.12.0, security researchers demonstrated how endpoints running Windows 11 and Debian 11 could be scanned to identify whether they were running vulnerable versions of Chrome or Chromium.
As noted in Wazuh’s dashboard, users are instructed to add the query CVE-2025-4664 to quickly isolate impacted systems, with the module updating the vulnerability status from "Active" to "Solved" once mitigation steps are verified.
Google has issued an emergency patch to address the issue on Windows and Gentoo Linux systems. Users on these platforms are advised to update their browsers immediately.
For Chromium users on Debian 11, all versions up to 120.0.6099.224 remain vulnerable, and no updated package has yet been released. Users are encouraged to uninstall the browser until a patched version becomes available.
Despite these swift actions, the broader concern remains: how can users and enterprises reliably protect themselves against browser-based zero-day exploits?
Applying patches is essential, but relying solely on browser updates can leave significant gaps. For this reason, it is recommended to use endpoint protection platforms, along with malware protection and antivirus solutions, to stay safe.
These tools provide layered defenses that go beyond browser vulnerabilities, offering real-time detection and containment of exploit attempts.
You might also like
These are the best VPNs with antivirus that you can use right now
Take a look at our pick of the best internet security suites available
‘Mission: Impossible – The Final Reckoning’ gets surprise guest appearance: a revolutionary 360TB silica storage media
Efosa Udinmwen
Freelance Journalist
Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Google Chrome security flaw could have let hackers spy on all your online habits
Chrome patched this bug, but CISA says it's still actively exploited
Firefox patches zero-day security flaw days after Chrome fixes the same issue
75 zero-day exploitations spotted by Google, governments increasingly responsible for attacks
Thousands of businesses at risk worldwide as new data exfiltration technique uncovered - here's what you need to know
Ancient flaw that allowed hackers to view your Chrome browser history has finally been patched, so update now
Latest in Security
How we test antivirus software
I tested Bitdefender and McAfee in an antivirus software showdown, and here's what I found
FBI, Secret Service operation takes down AVCheck site used to test malware
Qualcomm finally patches Adreno GPU zero-day flaws used in Android attacks
Microsoft and other security experts want a proper naming system for the worst hackers around
The North Face says customer data stolen in cyberattack
Latest in News
Five things we learned from The Witcher 4's technical demo
From security to performance – NordVPN scores all positive results on new independent audit
The Witcher 4 gets new tech demo showcasing our first look at open-world gameplay and it gave me goosebumps
PlayStation announces the latest State of Play presentation, and it's happening tomorrow
AMD looks like it’s losing the GPU war based on new Steam survey, with Nvidia’s RTX 5060 Ti proving itself to be popular already
Prime Video's Carrie TV remake cast has been revealed, and it marks the latest lap of the Matthew Lillard renaissance tour
LATEST ARTICLES
AMD looks like it’s losing the GPU war based on new Steam survey, with Nvidia’s RTX 5060 Ti proving itself to be popular already
Five things we learned from The Witcher 4's technical demo
My go-to Airwrap dupe is less than half the price of the real thing in this unmissable deal
Chat Control – Poland's EU Presidency gives up on the voluntary scan of your encrypted chats
From security to performance – NordVPN scores all positive results on new independent audit
TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
Contact Future's experts
Terms and conditions
Privacy policy
Cookies policy
Advertise with us
Web notifications
Accessibility Statement
Future US, Inc. Full 7th Floor, 130 West 42nd Street,
Please login or signup to comment
Please wait...
Related News
26 Apr, 2025
Forget Cybertruck — this $20K American-m . . .
10 Feb, 2025
5 great places to eat near Chase Center . . .
04 Apr, 2025
Macron calls Trump's tariffs 'brutal and . . .
11 Apr, 2025
Inside US's top secret plan to create 'g . . .
08 Feb, 2025
Mallorca newspaper 6 - 12 Feb 2025
17 Jun, 2025
Austin Reaves shuts down trade buzz with . . .
27 May, 2025
Elcano Index 2025 : Morocco ranks 52nd g . . .
13 Mar, 2025
Will Survivor Have a 49th Season? Find O . . .