Insufficient policy enforcement in Chrome’s Loader component

Google has released security updates to address a high-severity, zero-day vulnerability in Chrome.

The vulnerability is described as an insufficient policy enforcement in Google Chrome's Loader component that lets remote attackers leak cross-origin data via maliciously crafted HTML pages. This could lead to full account takeover following successful exploitation.

According to Google, an exploit for this vulnerability exists in the wild.

Due to reports of active exploitation of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

Chrome on MiWorkspace machines is set up to auto update, but all users should take action to apply the update as soon as possible. To begin using the new version:

1. Find out your version: Go to the Chrome menu at the top right (three dots) and select Help > About Google Chrome.
2. Update Chrome: From the About page, click Update Google Chrome (if necessary) and click Relaunch. The relaunch retains the browser content you have open. For more information, see Update Google Chrome.

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Chrome on MiWorkspace machines is set up to auto update. We advise users to also set their personal devices to auto update Chrome. Because automatic updates to Chrome normally happen in the background when you close and reopen Chrome, we recommend all users take the follow action as soon as possible on personal or MiWorkspace devices:

1. Find out your version: Go to the Chrome menu at the top right (three dots) and select Help > About Google Chrome.
2. Update Chrome: From the About page, click Update Google Chrome (if necessary) and click Relaunch. The relaunch retains the browser content you have open. For more information, see Update Google Chrome.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Scams, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Please contact ITS Information Assurance through the ITS Service Center.

• Google fixes high severity Chrome flaw with public exploit (BleepingComputer, 5/15/2025)
• Google Chrome Zero-Day Vulnerability (CVE-2025-4664) Actively Exploited in The Wild (gbhackers, 5/15/2025)
• New Chrome Vulnerability Enables Cross-Origin Data Leak via Loader Referrer Policy (The Hacker News, 5/15/2025)