On Wednesday, Google published exploit code for an unfixed vulnerability within the Chromium browser codebase, posing a threat to millions of users of Chrome, Microsoft Edge, and other Chromium-based browsers. The vulnerability remains unpatched despite being known to developers for 29 months.
The proof-of-concept code targets the Browser Fetch programming interface, a standard designed to allow large files like videos to download in the background. An attacker can exploit this to monitor browser usage or use the compromised instance as a proxy for accessing sites and launching distributed denial-of-service (DDoS) attacks. Critically, these malicious connections may persist or automatically reopen even after a browser restart or a full device reboot.
Discovered in late 2022 by independent researcher Lyra Rebane, the flaw can be exploited by any website a user visits. This effectively transforms the device into a node within a limited botnet. While its capabilities are restricted to what a browser can natively do—such as visiting malicious URLs or acting as an anonymous proxy—it allows attackers to wrangle millions of devices into a coordinated network. Rebane warned that if a separate privilege-escalation vulnerability surfaces, these pre-compromised devices could be fully taken over.
In the original disclosure thread, Chromium developers categorized the issue as a "serious vulnerability" with an S1 rating, the second-highest severity classification. Despite this, it remained unpatched. On Wednesday morning, the exploit code was accidentally made public on the Chromium bug tracker. Although Google quickly pulled the post, the exploit code has already been mirrored on archival sites, leaving millions of users vulnerable to a now-public threat.
