Skip to content

Google Accidentally Leaks Details of Unpatched Chromium Security Vulnerability

The bottom line: Google has disclosed details of an unpatched Chromium security vulnerability that allows attackers to persistently execute JavaScript code on devices. The vulnerability affects Chrome, Edge, Brave and other Chromium-based browsers and was incorrectly marked as “fixed” despite still being active.

A serious vulnerability in Chromium enables attackers to run JavaScript code in the background even when the browser is closed. Google accidentally disclosed the vulnerability before it was patched—a discovery by security researcher Lyra Rebane could endanger millions of users.

A critical vulnerability in Chromium has been accidentally disclosed by Google. The vulnerability, discovered by security researcher Lyra Rebane in 2022, allows attackers to remotely execute JavaScript code on visitor devices—even when the browser is closed. This occurs through malicious Service Workers, such as fake download tasks that never terminate.

The scenario is alarming: a single website could turn tens of thousands of browsers into a JavaScript botnet without users noticing. Potential attack scenarios include distributed denial-of-service (DDoS) attacks, malware distribution, and internet traffic rerouting.

The vulnerability affects all Chromium-based browsers—including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc. Particularly concerning is that Edge no longer displays download notifications, making the exploit completely invisible.

Despite acknowledging the vulnerability as a “critical issue” in October 2024, Google marked it as “fixed” in February without actually providing a patch. The Chrome Vulnerability Rewards Program (VRP) platform removed access restrictions after 14 weeks, at which point Rebane immediately noticed the bug was still present. The accidental disclosure of details now makes exploitation significantly easier. However, Rebane notes that the vulnerability does not bypass browser security boundaries and does not grant attackers access to emails, files, or the operating system.

Share on: