Skip to main content Tech Radar Pro Tech Radar Gaming Tech Radar Pro TechRadar the business technology experts Search TechRadar View Profile België (Nederlands) Deutschland North America US (English) Australasia New Zealand Expert Insights Website builders Web hosting Best website builder Best web hosting Best office chairs Best antivirus Expert Insights Recommended reading Google Chrome security flaw could have let hackers spy on all your online habits Chrome patched this bug, but CISA says it's still actively exploited Firefox patches zero-day security flaw days after Chrome fixes the same issue 75 zero-day exploitations spotted by Google, governments increasingly responsible for attacks Thousands of businesses at risk worldwide as new data exfiltration technique uncovered - here's what you need to know Ancient flaw that allowed hackers to view your Chrome browser history has finally been patched, so update now Millions of Google Chrome users could be at risk from these dodgy extensions Billions of Chrome users at risk from new data-stealing browser vulnerability - here's how to stay safe Efosa Udinmwen 3 June 2025 Chromium users on Debian remain vulnerable, with no fix yet When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. Image Credit: Pixabay (Image credit: Getty Images) Google Chrome’s unique handling of referrer-policy creates a major loophole for silent data siphoning CVE-2025-4664 proves even trusted browsers are not immune to catastrophic zero-day vulnerabilities Cross-origin data is up for grabs if you haven't updated Chrome or Chromium A newly uncovered zero-day vulnerability which affects both Windows and Linux systems could put billions of Google Chrome and Chromium users at serious risk of data theft, experts have warned. Researchers from Wazuh claim this flaw - tracked as CVE-2025-4664 - has already drawn urgent attention due to its ability to leak sensitive cross-origin data such as OAuth tokens and session identifiers without user interaction. The flaw, identified in the Loader component of Chrome and Chromium browsers, relates to how these browsers process the Link HTTP header for sub-resource requests like images or scripts. You may like Google Chrome security flaw could have let hackers spy on all your online habits Chrome patched this bug, but CISA says it's still actively exploited Firefox patches zero-day security flaw days after Chrome fixes the same issue Chrome opening the door to data leaks Unlike other mainstream browsers, Chrome honors the referrer-policy directive even on sub-resources. This behavior allows a malicious site to inject a lax policy, such as unsafe-url, effectively leaking full URLs, including sensitive data, to third-party domains. This kind of exploit bypasses conventional browser defenses and directly undermines common security assumptions in web infrastructure. Wazuh claims it can detect and mitigate this flaw via its Wazuh Vulnerability Detection module, which uses data from its Cyber Threat Intelligence (CTI) service to monitor software versions and raise alerts when vulnerable packages are found. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. In a lab environment set up using Wazuh OVA 4.12.0, security researchers demonstrated how endpoints running Windows 11 and Debian 11 could be scanned to identify whether they were running vulnerable versions of Chrome or Chromium. As noted in Wazuh’s dashboard, users are instructed to add the query CVE-2025-4664 to quickly isolate impacted systems, with the module updating the vulnerability status from "Active" to "Solved" once mitigation steps are verified. Google has issued an emergency patch to address the issue on Windows and Gentoo Linux systems. Users on these platforms are advised to update their browsers immediately. For Chromium users on Debian 11, all versions up to 120.0.6099.224 remain vulnerable, and no updated package has yet been released. Users are encouraged to uninstall the browser until a patched version becomes available. Despite these swift actions, the broader concern remains: how can users and enterprises reliably protect themselves against browser-based zero-day exploits? Applying patches is essential, but relying solely on browser updates can leave significant gaps. For this reason, it is recommended to use endpoint protection platforms, along with malware protection and antivirus solutions, to stay safe. These tools provide layered defenses that go beyond browser vulnerabilities, offering real-time detection and containment of exploit attempts. You might also like These are the best VPNs with antivirus that you can use right now Take a look at our pick of the best internet security suites available ‘Mission: Impossible – The Final Reckoning’ gets surprise guest appearance: a revolutionary 360TB silica storage media Efosa Udinmwen Freelance Journalist Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com You must confirm your public display name before commenting Please logout and then login again, you will then be prompted to enter your display name. Google Chrome security flaw could have let hackers spy on all your online habits Chrome patched this bug, but CISA says it's still actively exploited Firefox patches zero-day security flaw days after Chrome fixes the same issue 75 zero-day exploitations spotted by Google, governments increasingly responsible for attacks Thousands of businesses at risk worldwide as new data exfiltration technique uncovered - here's what you need to know Ancient flaw that allowed hackers to view your Chrome browser history has finally been patched, so update now Latest in Security How we test antivirus software I tested Bitdefender and McAfee in an antivirus software showdown, and here's what I found FBI, Secret Service operation takes down AVCheck site used to test malware Qualcomm finally patches Adreno GPU zero-day flaws used in Android attacks Microsoft and other security experts want a proper naming system for the worst hackers around The North Face says customer data stolen in cyberattack Latest in News Five things we learned from The Witcher 4's technical demo From security to performance – NordVPN scores all positive results on new independent audit The Witcher 4 gets new tech demo showcasing our first look at open-world gameplay and it gave me goosebumps PlayStation announces the latest State of Play presentation, and it's happening tomorrow AMD looks like it’s losing the GPU war based on new Steam survey, with Nvidia’s RTX 5060 Ti proving itself to be popular already Prime Video's Carrie TV remake cast has been revealed, and it marks the latest lap of the Matthew Lillard renaissance tour LATEST ARTICLES AMD looks like it’s losing the GPU war based on new Steam survey, with Nvidia’s RTX 5060 Ti proving itself to be popular already Five things we learned from The Witcher 4's technical demo My go-to Airwrap dupe is less than half the price of the real thing in this unmissable deal Chat Control – Poland's EU Presidency gives up on the voluntary scan of your encrypted chats From security to performance – NordVPN scores all positive results on new independent audit TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site. Contact Future's experts Terms and conditions Privacy policy Cookies policy Advertise with us Web notifications Accessibility Statement Future US, Inc. Full 7th Floor, 130 West 42nd Street, Please login or signup to comment Please wait...