Loading...
Loading...
A serious Chromium vulnerability originally reported privately in late 2022 remains unpatched despite Google publishing exploit code years later. The proof-of-concept abuses the Browser Fetch API to maintain persistent service-worker connections that can proxy traffic, enable DDoS, and monitor user activity — potentially surviving reboots on some Chromium-based browsers like Chrome and Edge. Researcher Lyra Rebane flagged the issue as S1 severity; Chromium assigned the high severity but failed to deliver a timely fix. Google briefly posted then removed the exploit from the Chromium bug tracker, yet copies persist on archives, leaving millions of users exposed and raising questions about disclosure and patching practices.
Tech professionals need to know this because an unpatched, publicly available exploit increases risk for users, networks, and services and demands urgent mitigation and monitoring. It also highlights disclosure and patch-management weaknesses in major open-source components relied on by many products.
Dossier last updated: 2026-05-21 22:43:22
Rebane: "back in 2022 i found a bug that would let me, wit…" - Infosec Exchange To use the Mastodon web application, please enable JavaScript. Alternatively, try one of the native apps for Mastodon for your platform.
Rebane: "back in 2022 i found a bug that would let me, wit…" - Infosec Exchange To use the Mastodon web application, please enable JavaScript. Alternatively, try one of the native apps for Mastodon for your platform.
Google accidentally published proof-of-concept exploit code for a 29-month-old, still-unpatched Chromium vulnerability that affects Chrome, Edge and other Chromium-based browsers. The exploit abuses the Browser Fetch API to open persistent service workers that can be used as a covert proxy, to monitor activity, and to coordinate distributed denial-of-service attacks — effectively enlisting browsers into a limited botnet. Independent researcher Lyra Rebane, who reported the bug privately to Google in late 2022, says the flaw was rated high severity (S1) and that publishing the code made practical exploitation easier. Google removed the post, but archived copies and the exploit remain available while a patch is still absent. This raises urgent security and disclosure-process concerns for the browser ecosystem.
Chromium publishes fixed exploit 4 years later, turns out it's actually unfixed
Google inadvertently published exploit code for an unfixed Chromium vulnerability that risks millions of Chromium-based browser users, including Chrome and Edge. The proof-of-concept abuses the Browser Fetch API to create persistent service-worker connections that can proxy browsing, enable DDoS, and monitor activity; connections may persist across reboots depending on the browser. Independent researcher Lyra Rebane reported the flaw privately in late 2022 and called it serious; Chromium assigned it an S1 severity, but it remained unpatched for 29 months. Google briefly posted the exploit to the Chromium bug tracker, then removed it, though copies persist on archival sites. A patch timeline and Google comment remain unavailable.