Google has released working exploit code for a vulnerability in Chromium that has remained unpatched for 29 months. The flaw, located in the Browser Fetch API, allows any website a user visits to turn their device into a limited botnet node.
The proof-of-concept code exploits a standard used for downloading large files like long videos. Attackers can use the connection to monitor some aspects of browser activity and as a proxy for launching denial-of-service attacks. In some browsers, the connection persists even after a reboot.
The Vulnerability
The unfixed bug affects Chrome, Microsoft Edge and virtually every other browser built on Chromium. A visit to a malicious site is enough to trigger the exploit. Once compromised, a device can be used for proxied DDoS attacks, anonymous browsing by others and user activity monitoring.
While the capabilities are limited to what a browser can do, the exploit could let an attacker assemble thousands or even millions of devices into a network. A separate vulnerability could then be used to take full control of those machines.
Why This Matters
Hundreds of millions of people rely on Chromium-based browsers daily. Google's decision to publicly publish exploit code for an unfixed flaw puts those users at increased risk. Security researchers warn that the code lowers the barrier for attackers to build botnets from ordinary computers and phones.
Organizations that rely on Chrome or Edge for internal operations face an especially high threat. The lack of a patch after more than two years means exposure will continue indefinitely. Users can reduce risk by limiting browser extensions, avoiding unknown websites and using security tools that block suspicious connections.
The vulnerability has been assigned CVE number but no fix has been released. Google has not announced a timeline for a patch. Users should treat any browser activity as potentially monitored until the flaw is addressed.
