Detecting Chrome CVE-2025-4664 vulnerability with Wazuh
A newly disclosed zero-day vulnerability, tracked as CVE-2025-4664, has recently been discovered to affect Google Chrome and Chromium web browsers on Windows and Linux endpoints, respectively. This vulnerability affects the Loader component of the browser, causing serious implications for cross-origin data protection, especially in environments that rely on Chrome’s referrer policies for safeguarding sensitive information. It allows malicious websites to leak cross-origin data from other websites you visit to an attacker-controlled server, without your knowledge. This may include sensitive information, such as OAuth and session IDs.
The vulnerability
The issue lies in how the web browsers handle the Link HTTP header on sub-resource requests, e.g., images, scripts, etc. In contrast to other major browsers, Chrome honors the referrer-policy directive inside this header, even on sub-resources. An attacker can abuse this header by setting a looser policy, like unsafe-url, which causes Chrome to leak full referrer URLs, including sensitive tokens or credentials, to a third-party domain.
Vulnerable versions
At the time of writing, any users running the versions below are exposed to this vulnerability:
| Operating System | Product | Version |
| Windows | Google Chrome | Before 136.0.7103.113 |
| Debian 11 Linux | Chromium | Up to 120.0.6099.224 |
| Gentoo Linux | Google Chrome/Chromium | Before 136.0.7103.113 |
Detecting the vulnerability with Wazuh
The Wazuh Cyber Threat Intelligence (CTI) service provides real-time vulnerability information by aggregating known vulnerabilities from trusted external sources. Wazuh matches installed software against information from the Wazuh CTI to detect vulnerable packages. For each detected vulnerability, Wazuh dynamically generates a CTI reference using its Common Vulnerabilities and Exposures (CVE) ID, in this case CVE-2025-4664. For further analysis, you can access detailed information about the vulnerability, including its description, affected operating systems and software versions, severity ratings, and external references.
Infrastructure
To write this blog post and raise awareness about the vulnerability, we used a lab environment with the following infrastructure:
- A pre-built, ready-to-use Wazuh OVA 4.12.0. Follow the Virtual Machine (OVA) – Installation guide to download and set up the Wazuh virtual machine.
- Install the Wazuh agent 4.12.0 on your Windows and Linux endpoints. We use Windows 11 and Debian 11, in our case.
Vulnerability scan results
The Wazuh Vulnerability Detection module generates alerts on the Wazuh dashboard if the monitored endpoints have the vulnerable Google Chrome (Windows 11) and Chromium (Debian 11) packages installed.
Wazuh dashboard
- Navigate to the Vulnerability Detection page of the Wazuh dashboard to view all detected vulnerabilities.
- Add the following query in the search bar to filter for the Chrome/Chromium Zero-Day vulnerability:
CVE-2025-4664. - Switch to the Inventory tab to view the vulnerability alerts
- Click on the vulnerability alert to view more information.
- Click on the Wazuh CTI reference to view detailed information about the vulnerability.
The results below are from vulnerable Windows and Linux endpoints that have the vulnerable version of the packages installed.
Mitigation
Google released an emergency patch to fix this vulnerability on Windows and Gentoo Linux endpoints. Users are advised to update the version of Chrome running on their endpoints to prevent exploitation of this zero-day vulnerability.
Chrome
Update Google Chrome to the latest version to mitigate this vulnerability.
Chromium
- Update Chromium to the latest version on Gentoo Linux endpoints to mitigate this vulnerability.
- At the time of writing this post, all versions of Chromium browsers up to
120.0.6099.224on Debian 11 endpoints are vulnerable. Hence, users running vulnerable versions should uninstall the vulnerable package pending the availability of an updated version.
Wazuh dashboard
Perform the following steps on the Wazuh dashboard to verify that the vulnerability has been resolved.
- Navigate to the Vulnerability Detection > Events page.
- In the search bar, add the query
CVE-2025-4664. - The vulnerability status is updated from
ActivetoSolvedwhen recommended actions are implemented.
Conclusion
The discovery and exploitation of CVE-2025-4664 highlight how even widely trusted software like Google Chrome and Chromium can contain vulnerabilities that put users and organizations at risk. While browser vendors like Google move quickly to patch such flaws, identifying and mitigating exposure across your infrastructure is critical.
With Wazuh, you can detect endpoints running vulnerable versions of Google Chrome affected by CVE-2025-4664. The Wazuh Vulnerability Detection module identifies outdated packages and helps you assess exposures across your environment.