On Wednesday, Google published exploit code for an unfixed vulnerability in its Chromium browser codebase, posing a direct threat to millions of users running Google Chrome, Microsoft Edge, and almost all other Chromium-based web browsers.
The proof-of-concept (PoC) code targets the Browser Fetch programming interface—a web standard designed to allow background downloads of large files, such as long-form videos. An attacker can exploit this flaw to establish persistent connections for monitoring aspects of a user's browser usage, acting as an anonymous proxy for viewing external sites, or launching distributed denial-of-service (DDoS) attacks. Depending on the specific browser, these connections can automatically reopen or remain active even after the browser is closed or the host device is rebooted.
Unfixed for 46 months and counting, this vulnerability can be exploited by virtually any website a user visits. A successful compromise effectively creates a limited backdoor, turning the affected device into a node within a botnet. While the current capabilities are confined to actions a standard browser can perform (such as visiting malicious sites, proxying traffic, and monitoring user activities), the exploit could allow malicious actors to marshal thousands or millions of devices into a coordinated network. Once a secondary vulnerability is discovered, attackers could chain them together to completely compromise these devices.
"The dangerous part here is that you can just have a lot of different browsers together that you can in the future run something on that you figure out," said Lyra Rebane, the independent researcher who discovered the flaw and privately disclosed it to Google in late 2022. She noted that while using the prematurely published exploit code is "pretty easy," scaling it to control massive numbers of devices would require additional development. In the disclosure thread, two Chromium developers acknowledged it as a "serious vulnerability," rating its priority as P1 (the second-highest classification) and severity as S2 (the third-highest).
Since its initial reporting nearly four years ago, the vulnerability remained confidential among Chromium developers. On Wednesday morning, however, it was accidentally published on the public Chromium bug tracker. Although Rebane initially hoped this meant a patch had been released, she quickly learned the flaw remains unpatched. Google has since deleted the tracker entry, but the discussion and the fully functional exploit code have already been mirrored on various web archive sites.
[AgentUpdate Depth Analysis] As AI Agents—particularly Browser Agents executing automated web scraping, RPA, and retrieval-augmented tasks—proliferate across enterprise workflows, the security perimeter of Chromium-based runtimes has become the critical backbone of the AI ecosystem. This premature Chromium exploit leak sounds a major alarm: countless LLM-based agents relying on headless browsers like Playwright, Puppeteer, or MCP browser tools are highly susceptible to silent hijacking. If an autonomous agent visits a compromised webpage, its underlying runtime could be weaponized into a proxy or botnet node without human awareness. Unlike traditional OS-level sandboxing, browser runtimes lack robust isolation for autonomous LLM interactions. This incident highlights that AI Agent security must transcend prompt-injection defenses; the industry must pivot toward 'Agent-native Secure Runtimes,' mandating deep behavioral auditing, isolated sandboxes, and strict egress traffic controls specifically tailored for autonomous digital entities.
