- Google recently corrected a new chrome bug
- Now Cisa has added this vulnerability to Kev, signaling abuse in the wild
- Federal agencies have three weeks to update Chrome
The American Cybersecurity and Infrastructure Safety Agency (CISA) has added a new chrome bug to its known catalog on the exploited vulnerabilities (KEV), signaling mistreatment in nature and giving the federal agencies of civil executive management (FCEB) a deadline for repairing things.
The defect is followed as CVE-2025-4664. It has been recently discovered by Solidlab security researchers and is described as an “insufficient application of the charger in Google Chrome”. On NVD, it was explained that the bug allowed the actors of the remote threat to flee the data of transversal origin via a manufactured HTML page.
“The query parameters may contain sensitive data – for example, in Oauth flows, this can lead to a takeover of the account. The developers rarely consider the possibility of stealing the request parameters via a image from a third -party resource,” explained the researcher VSEVOLOD KOKORIN, which was attributed to the discovery of the bug.
It’s time to patcher
The fault was discovered for the first time on May 5, with Google who returned with a patch on May 14. The browser giant did not discuss whether the defect was exploited in real attacks, but she said that she had a public feat (which essentially means the same thing).
Now, with Cisa adding the bug to Kev, FCEB agencies have until June 5 to correct their chrome instances or stop using the browser. The first clean versions are 136.0.7103.113 for Windows / Linux and 136.0.7103.114 for MacOS. In many cases, Chrome would automatically deploy the update, so simply check the version you are running.
“These types of vulnerabilities are frequent attack vectors for malicious cyber-actors and present significant risks for the federal enterprise,” said Cisa.
Indeed, the web browser is one of the most frequently targeted programs because it manages unreliable data from countless sources around the web. Cybercriminals are always looking for vulnerabilities in the browser code, plugins or poorly secure websites, in order to enter connection identification information, or other means of compromising the wider network.
Via Bleeping Compompute
