Google Releases Exploit for Unfixed Chromium Bug Publishes Code

Google has publicly released proof-of-concept (PoC) exploit code for a critical, still-unpatched vulnerability. Found within the Chromium codebase, this flaw potentially exposes millions of users across Chrome, Microsoft Edge, and other Chromium-based browsers to stealthy botnet-style abuse.

The vulnerability, originally reported in late 2022 by independent security researcher Lyra Rebane, remains unfixed after more than 42 months. It has been assigned a Priority 1 (P1) rating, indicating high urgency and Severity 2 (S2), marking it as a serious security issue within Chromium’s vulnerability classification framework.

The flaw resides in the Browser Fetch API, a feature designed to allow large downloads, such as videos or files, to continue in the background via Service Workers.

However, Rebane discovered that this mechanism can be abused to create persistent, never-terminating tasks that maintain continuous communication with attacker-controlled infrastructure.

By leveraging this behavior, attackers can establish a covert communication channel between a victim’s browser and a command-and-control (C2) server. Notably, in some implementations, such as Microsoft Edge, the connection may persist even after the browser is closed or the system is rebooted.

The exploit effectively transforms a browser into a “limited botnet node” without requiring any user interaction.

Exploitation Requires Only a Website Visit

The attack vector is particularly concerning due to its simplicity. Any user visiting a malicious or compromised website can be silently enrolled into this browser-based botnet.

According to Rebane’s disclosure, attackers can deploy a malicious webpage that contains a Service Worker that initiates a background fetch task that never terminates. This enables continuous execution of JavaScript code on the victim’s device.

“It’s realistic to get tens of thousands of pageviews for creating a ‘botnet,’ and users won’t be aware that JavaScript can be remotely executed on their device,” Rebane noted in the original report.

While the exploit is constrained by browser sandboxing, its capabilities still pose a significant risk at scale. Potential abuse scenarios include:

• Distributed Denial-of-Service (DDoS): Compromised browsers can be orchestrated to flood target infrastructure with traffic.
• Proxy Networks: Attackers can route malicious or anonymized traffic through victim browsers.
• Traffic Redirection: Users can be silently redirected to attacker-controlled or malicious destinations.
• Activity Monitoring: Limited tracking of browsing behavior and network activity.

The researcher emphasized that while current capabilities are limited to browser-level actions, the real risk lies in chaining this vulnerability with future exploits. A pre-established network of compromised browsers could serve as a launchpad for more advanced attacks once additional vulnerabilities are identified.

Google’s decision to publish exploit code before issuing a patch has raised concerns within the security community. The PoC lowers the barrier to entry for threat actors, making exploitation “pretty easy,” according to Rebane, although scaling operations would require additional infrastructure.

In the Chromium issue tracker, multiple developers acknowledged the severity of the flaw, describing it as a “serious vulnerability.” Despite this, no complete fix has been rolled out as of this writing.

Affected Platforms

• Google Chrome
• Microsoft Edge
• Brave Browser
• Opera
• Other Chromium-based browsers

Until an official patch is released, users and organizations should consider the following mitigations:

• Restrict Service Worker usage via enterprise browser policies where feasible.
• Disable background fetch features if configurable.
• Use network-level monitoring to detect anomalous outbound browser connections.
• Implement browser isolation technologies in enterprise environments.

With exploit code now public and no patch available, the vulnerability presents a unique window of opportunity for threat actors targeting large-scale browser-based botnets.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.