Cross-origin data leak in Google Chrome Loader

This repository is a proof-of-concept (PoC) exploit for CVE-2025-4664, a vulnerability in Chromium-based browsers where sensitive URL parameters can be leaked via Link header preload requests. The repository contains three main Python Flask applications: 1. target.py: A simulated vulnerable web application that uses SSO for authentication and exposes session tokens in the URL. 2. idp.py: A mock SSO identity provider that issues tokens to the target application. 3. attacker.py: A malicious server that serves a 1x1 PNG image with a specially crafted Link header. When the image is loaded in the victim's browser, the browser preloads a resource from the attacker's /log endpoint, sending the full Referer header (including sensitive URL parameters) due to the referrerpolicy=unsafe-url. The exploit demonstrates how an attacker can exfiltrate authentication tokens or other sensitive data from a victim's browser by injecting a malicious image into a page. The repository also includes HTML templates and static assets for the demo. The setup requires mapping specific hostnames to localhost and running all three servers. The exploit is a PoC and does not include weaponized or automated attack features.

This repository demonstrates a proof-of-concept exploit for CVE-2025-4664, a high-severity vulnerability in Google Chrome's Loader component affecting versions prior to 136.0.7103.113. The exploit leverages Chrome's improper handling of the referrer-policy attribute in HTTP Link headers for subresource requests. The repository contains two main files: 'index.html', which simulates a malicious web page that triggers the vulnerability by loading a resource from an attacker-controlled server with a permissive referrerpolicy, and 'servidor_atacante.py', a Python Flask server that listens for incoming requests and logs the Referer header. When a victim using a vulnerable Chrome version visits the crafted HTML page, their browser sends the full URL (including sensitive query parameters) as the Referer to the attacker's server, potentially leaking session tokens or credentials. The exploit is a working proof-of-concept and does not include weaponized or automated exploitation features. The README provides detailed background, exploitation steps, and mitigation advice.

ChromSploit Framework is a modular, extensible exploitation and research platform focused on browser and server vulnerabilities. It provides operational exploit modules for several high-profile CVEs (including Chrome, Edge, Firefox, Tomcat, and Git), with a strong emphasis on safety: all exploits default to simulation mode, and real exploitation requires explicit authorization. The framework supports multi-stage browser exploit chains, advanced payload obfuscation, automated tunneling (ngrok), and C2 integration (Sliver, Metasploit). It includes a professional reporting system, live monitoring, and evidence collection. The repository is well-structured, with clear separation between core logic, modules, exploits, and documentation. Numerous endpoints are fingerprintable, including local HTTP servers for exploit delivery, OAuth phishing, and data exfiltration. The codebase is primarily Python, with supporting JavaScript, JSP, and shell scripts. This framework is suitable for advanced security research, red teaming, and educational demonstrations, but should only be used in authorized, isolated environments due to the presence of real exploit code (even though simulation is the default).