The issue impacts nearly every major browser built on Chromium, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc.
The vulnerability remained unresolved for 29 months before details and exploit code suddenly appeared on Google’s Chromium bug tracker Wednesday morning.
The publication has triggered criticism from security researchers and renewed scrutiny over how major technology companies manage vulnerability disclosure and patch timelines.
That distinction highlights an increasingly important issue in browser security: monoculture risk.
Until then, millions of Chromium users may remain exposed to a vulnerability that security researchers say should never have become public before a fix was ready.
A major security controversy has erupted after Google accidentally published proof-of-concept exploit code for a serious vulnerability in the Chromium browser engine before a security patch had been released — exposing potentially millions of users of Chromium-based browsers to abuse.
The flaw, first privately disclosed to Google in late 2022, affects the Browser Fetch API, a background downloading feature built into Chromium. The vulnerability could allow malicious websites to silently maintain persistent connections to a victim’s browser, effectively transforming ordinary web browsers into components of a lightweight botnet capable of anonymous proxy activity, user monitoring, and distributed denial-of-service (DDoS) operations.
The issue impacts nearly every major browser built on Chromium, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc.
The vulnerability remained unresolved for 29 months before details and exploit code suddenly appeared on Google’s Chromium bug tracker Wednesday morning. Although the post was later removed, archived versions remain publicly accessible.
The publication has triggered criticism from security researchers and renewed scrutiny over how major technology companies manage vulnerability disclosure and patch timelines.
How the Exploit Works
At the center of the issue is Chromium’s Browser Fetch API — a feature designed to allow websites and web applications to continue downloading large files, such as videos or software packages, in the background even when a webpage is closed.
Threat actors can abuse this mechanism by opening a persistent service worker through malicious JavaScript embedded on a website.
Once triggered, the exploit can maintain long-lasting browser connections that survive browser restarts and, in some cases, even device reboots.
Although the exploit does not grant full system access or allow attackers to directly steal files or passwords, experts say its persistence makes it unusually dangerous.
The malicious connection can be used to:
Route anonymous browsing traffic through victim devices
Launch proxy-based DDoS attacks
Monitor aspects of user browsing activity
Maintain persistent communication channels
Potentially serve as infrastructure for future attacks
The vulnerability is especially concerning because it effectively creates a “browser-level foothold” without triggering many conventional security alarms.
Browsers Could Become Part of Covert Networks
Researchers say the flaw’s most alarming implication is scale.Because the exploit can be triggered simply by visiting a malicious website, attackers could theoretically compromise vast numbers of devices with little user interaction.
Unlike traditional malware infections, victims may never install software or download suspicious files. This is essentially a browser persistence mechanism If paired later with a separate remote code execution vulnerability, it could become extremely powerful.
Experts compare the concept to early botnet infrastructure, except operating entirely through browser functionality rather than malicious executables. That distinction could make detection significantly harder.
Why Detection May Be Difficult
The exploit reportedly behaves differently depending on the browser.
On Microsoft Edge, users may briefly see a download dropdown window appear unexpectedly, though no visible file download occurs. After subsequent launches, the visual indicator may disappear entirely.
On Google Chrome, the download notification appears more persistently, though researchers say most users would likely dismiss it as a harmless interface glitch or background browser behavior.
Less technically experienced users are unlikely to realize their browsers have been compromised.
The exploit also avoids many behaviors commonly associated with malware:
No suspicious executable files
No privilege escalation
No antivirus signature matches
No traditional installation process
That makes browser-based persistence particularly difficult to identify using standard endpoint security tools.
Google Faces Questions Over Disclosure Practices
The accidental publication has raised difficult questions for Google and the broader cybersecurity industry.
Major technology companies typically follow coordinated vulnerability disclosure procedures, ensuring that details of severe security flaws remain confidential until patches are ready for deployment.
Publishing exploit code before a fix exists is widely considered a worst-case scenario in vulnerability management because it dramatically lowers the technical barrier for attackers.
Google has not publicly explained how the disclosure occurred.
We still do not have answers to the following:
Why the exploit was published
Whether the disclosure was accidental
When a patch will be released
Whether evidence of active exploitation exists
The incident may also reignite debate around Chromium’s growing dominance in the browser ecosystem. Because Chromium serves as the foundation for numerous competing browsers, vulnerabilities within the engine can rapidly affect a massive portion of global internet users simultaneously.
Chromium-based browsers account for well over 70% of worldwide browser usage.
Firefox and Safari Remain Unaffected
Mozilla Firefox and Safari are not vulnerable because they do not implement the Browser Fetch API in the same way as Chromium-based browsers.
That distinction highlights an increasingly important issue in browser security: monoculture risk.
For years, cybersecurity experts have warned that heavy industry reliance on a single browser engine could create systemic vulnerabilities affecting billions of users at once.
A flaw in Chromium no longer affects one browser — it affects nearly the entire modern web ecosystem.
Potential Consequences for Users
At present, there is no evidence the exploit is being actively deployed at large scale.
However, the public release of exploit code significantly increases that possibility.
We recommend Chromium users:
Avoid suspicious or unfamiliar websites
Monitor unexplained browser download prompts
Keep browsers fully updated
Watch for emergency Chromium security patches
Consider temporary use of non-Chromium browsers for sensitive activities
Enterprise cybersecurity teams may also begin monitoring browser service worker behavior more aggressively until patches become available.
A Critical Moment for Browser Security
The incident underscores the increasingly blurred line between browsers and operating systems.
Modern browsers now manage downloads, storage, notifications, hardware acceleration, credentials, extensions, and persistent background processes — dramatically expanding the attack surface available to cybercriminals.
As browsers evolve into full application platforms, vulnerabilities once considered minor can potentially become infrastructure-level security risks.
For Google, the challenge now is not only delivering a patch quickly, but also restoring confidence in the disclosure and remediation processes behind the world’s most widely used browser engine.
Until then, millions of Chromium users may remain exposed to a vulnerability that security researchers say should never have become public before a fix was ready.
