Our Take
Google published live exploit code for an unfixed vulnerability affecting hundreds of millions of users, then tried to bury it—but the damage was already done.
Why it matters
Any website you visit can now use this exploit to establish a persistent connection that survives reboots and device restarts, turning your browser into a botnet node. The 29-month lag between discovery and public disclosure shows how slowly critical browser vulnerabilities get fixed, even at Google.
Do this week
Security teams: audit your Chromium-based browser deployments (Chrome, Edge, Brave, Opera) and assume this vulnerability is actively exploited; test your network monitoring for unusual outbound connections and persistent browser activity across reboots.
Google published live exploit code on Wednesday
Google posted proof-of-concept code to its Chromium bug tracker that demonstrates how to exploit a vulnerability in the Browser Fetch API, a standard that manages background downloads of large files. The vulnerability has been unfixed for 29 months since independent researcher Lyra Rebane privately reported it to Google in late 2022.
Google classified it as S1, the second-highest severity tier. The exploit allows an attacker visiting any website to establish a persistent connection that monitors some aspects of browser usage and enables the compromised device to serve as an anonymous proxy for others. Depending on the browser, the connection persists even after reboot.
Rebane assumed the publication meant the vulnerability was finally fixed. Within hours, she discovered it remained unpatched. Google removed the post, but the exploit code is already archived on public sites.
This is a limited backdoor with scale implications
The exploit itself is constrained to what a browser can do: visit sites, provide proxy browsing, enable proxied DDoS attacks, and log user activity. But the real threat lies in scale. An attacker can infect thousands or millions of devices with a single redirect to a malicious site, then weaponize that network later when a second vulnerability is discovered.
Rebane noted that using the published exploit "would be pretty easy," though scaling it to wrangle large numbers of devices into a single botnet would require more work. The danger is not the exploit itself but having a large dormant network ready to activate.
Chrome, Microsoft Edge, and virtually all Chromium-based browsers are affected. The 29-month patch delay exposes a structural problem: even critical vulnerabilities can languish for years without fix. Google removed the public disclosure but took no action to patch the underlying flaw.
Assume active exploitation and monitor for it
Network defenders should treat this as a live threat. Look for unusual outbound connections from browsers, especially those that persist across reboots or survive browser restarts. Implement connection monitoring that flags long-lived browser sessions to unknown or suspicious external IPs. Treat any Chromium-based browser as potentially compromised if it has accessed untrusted sites in the past 29 months.
For organizations running Chrome or Edge on managed endpoints, prioritize updating to the next patched version once released. Until then, disable the Fetch API in group policy if your workload permits, or restrict which sites browsers can visit via proxy rules.