Google Publishes Exploit Code for Unfixed Chromium Vulnerability

Google has publicly released proof-of-concept (PoC) exploit code for a critical, still-unpatched vulnerability in the Chromium codebase, potentially exposing millions of users across Chrome, Microsoft Edge, Brave, Opera, and other Chromium-based browsers to stealthy botnet-style abuse.

The vulnerability was originally reported in late 2022 by independent security researcher Lyra Rebane and remains unpatched more than 42 months later.

It carries a Priority 1 (P1) rating, indicating high urgency and a Severity 2 (S2) classification, marking it as a serious issue within Chromium’s internal vulnerability framework.

Google Publishes Exploit Code for Unfixed Chromium

The vulnerability lies in the Browser Fetch API, a feature that allows large downloads, such as videos or files, to continue processing in the background via Service Workers.

Rebane discovered that this mechanism can be weaponized to spawn persistent, never-terminating background tasks that maintain continuous communication with attacker-controlled infrastructure.

By exploiting this behavior, threat actors can establish a covert channel between a victim’s browser and a command-and-control (C2) server.

In certain implementations, notably Microsoft Edge, this connection can persist even after the browser is closed or the device is rebooted, dramatically expanding the attack surface, CSN said.

The result effectively transforms an ordinary browser into a limited botnet node, requiring zero user interaction beyond a single website visit.

The attack vector is deceptively simple. A user visiting any malicious or compromised webpage can be silently enrolled into a browser-based botnet. According to Rebane’s disclosure, the attack chain works as follows:

• A malicious webpage deploys a Service Worker upon visit
• The Service Worker initiates a background fetch task that never terminates
• This enables continuous remote JavaScript execution on the victim’s device without visible indicators

“It’s realistic to get tens of thousands of pageviews for creating a ‘botnet,’ and users won’t be aware that JavaScript can be remotely executed on their device,” Rebane stated in the original report.

While browser sandboxing limits the exploit’s immediate scope, the risk at scale remains significant. Documented abuse scenarios include:

• DDoS Attacks — Compromised browsers can be orchestrated to flood the target infrastructure with traffic
• Proxy Networks — Attackers can route malicious or anonymized traffic through victim devices
• Traffic Redirection — Users can be silently pushed toward attacker-controlled destinations
• Activity Monitoring — Limited passive tracking of browsing behavior and network telemetry

Rebane also warned that the real long-term risk lies in exploiting a pre-established botnet of compromised browsers, which could serve as a ready-made launchpad once additional vulnerabilities are discovered.

Google’s decision to release PoC code before issuing a fix has drawn criticism from the security community. Multiple Chromium developers acknowledged the flaw as a “serious vulnerability” in the issue tracker, yet no complete remediation has been deployed.

With the PoC publicly available, Rebane noted that exploitation is now “pretty easy,” though scaling an operation would require additional infrastructure investment from threat actors.

Affected Platforms

• Google Chrome
• Microsoft Edge
• Brave Browser
• Opera
• Other Chromium-based browsers are affected.

Mitigations

Until an official patch is released, security teams should take these defensive steps:

• Restrict Service Worker usage via enterprise browser policies
• Disable background fetch features where browser configuration permits
• Deploy network-level monitoring to flag anomalous outbound browser connections
• Implement browser isolation technologies in enterprise and high-risk environments

With public exploit code circulating and no patch on the horizon, this vulnerability presents an active, exploitable window of opportunity for threat actors pursuing large-scale, browser-based botnet infrastructure.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Google Publishes Exploit Code for Unfixed Chromium Vulnerability appeared first on Cyber Security News.