The Indian Computer Emergency Response Team (CERT-In) has issued a security advisory warning of multiple vulnerabilities in Google Chrome for Desktop that could potentially allow attackers to gain unauthorized access to users’ systems.
Highlights
These vulnerabilities, rated “high” in severity, affect Chrome versions running on Windows, macOS, and Linux platforms.
Documented in CERT-In’s vulnerability note CIVN-2025-0099, published on May 16, the advisory urges users to update their browsers immediately.
Systems running versions older than 136.0.7103.113 (and 136.0.7103.114 for Windows) are especially vulnerable.
The advisory notes that attackers could exploit these flaws by directing users to specially crafted websites, with the potential for system compromise even without further user interaction.
Vulnerabilities Identified
Among the issues disclosed is CVE-2025-4664, which involves insufficient policy enforcement in Chrome’s Loader component. This flaw could allow an attacker to leak cross-origin data using a malicious HTML page.
Another vulnerability, CVE-2025-4609, relates to improper handling in Chrome’s Mojo IPC component under unspecified conditions. This issue could lead to privilege escalation or memory corruption if exploited.
Google addressed these security issues in a browser update released on May 14, 2025, crediting external researchers for reporting them. CERT-In’s bulletin followed two days later, highlighting the urgency of patching these flaws to prevent exploitation.
Active Exploitation in the Wild
The CVE-2025-4664 vulnerability has been confirmed as actively exploited.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities Catalog, advising users to apply the latest Chrome update no later than June 5, 2025.
Timeline of Discovery and Response
- May 5, 2025: Security researcher Vsevolod Kokorin (@slonser_) reported the vulnerability.
- May 14, 2025: Google released a patch.
- May 16, 2025: CERT-In issued its official advisory.
Potential Impact on Other Chromium-Based Browsers
Although the advisory centers on Google Chrome, other browsers built on the Chromium engine—such as Microsoft Edge, Brave, Opera, and Vivaldi—could also be affected. Users of these browsers are advised to ensure they are running the most recent versions to reduce risk.
Post-Update Recommendations
Users are reminded that simply downloading the update is not sufficient. A browser restart is required for the security patches to take full effect. Without this step, systems may remain exposed despite appearing up to date.
Cybersecurity Practices
CERT-In also recommends general best practices to enhance digital safety:
- Avoid clicking on suspicious links or downloading content from untrusted sources.
- Ensure that all operating systems and software are kept up to date.
- Use reputable antivirus and anti-malware programs.
- Perform regular data backups to safeguard against data loss in the event of a breach.
Focus on Desktop Versions
This advisory specifically targets desktop versions of Chrome. While mobile platforms such as iOS and Android are not directly referenced in this patch, previous advisories have noted that mobile versions can also be affected by certain Chrome-related vulnerabilities.
As a precaution, users on all platforms are advised to stay informed and cautious.
