Google’s Chromium Bug Leak Exposes Unfixed JavaScript Execution Flaw
Google accidentally leaked details of an unfixed vulnerability in Chromium that allows JavaScript to run persistently in the background even after the browser is closed enabling remote code execution (RCE) on affected devices. The flaw, reported by security researcher Lyra Rebane in December 2022, was initially acknowledged but remains unresolved despite multiple attempts to patch it.
The vulnerability stems from a malicious webpage exploiting a Service Worker to maintain active JavaScript execution. Attackers could use this to turn browsers into unwitting participants in a botnet, capable of launching DDoS attacks, proxying malicious traffic, or redirecting users to targeted sites. Rebane demonstrated that the exploit could silently persist in Microsoft Edge without triggering download prompts, making it harder to detect.
The issue affects all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Arc. Despite being marked as "fixed" in February 2024 under Google’s Vulnerability Rewards Program (VRP) with Rebane awarded a $1,000 bounty the patch was incomplete. On May 20, 2024, after the bug’s details were mistakenly made public, Rebane confirmed the exploit still worked in Chrome Dev 150 and Edge 148, calling it a "completely silent JS RCE" that activates from a single website visit.
While the flaw does not bypass browser security boundaries or grant access to emails, files, or the host OS, its public exposure increases the risk of widespread exploitation. Google has since reclassified the issue as private, but the leak may accelerate the release of an emergency fix. No official response from Google has been provided as of publication.
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security-response-center
Vivaldi Technologies TPRM report: https://www.rankiteo.com/company/vivaldi-technologies
Google TPRM report: https://www.rankiteo.com/company/google
Brave Software TPRM report: https://www.rankiteo.com/company/brave-software
The Browser Company TPRM report: https://www.rankiteo.com/company/browser-engines
Opera Software TPRM report: https://www.rankiteo.com/company/opera-colorado
"id": "opemicbragoovivbro1779395125",
"linkid": "opera-colorado, microsoft-security-response-center, brave-software, google, vivaldi-technologies, browser-engines",
"type": "Vulnerability",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'All users of Chromium-based '
'browsers',
'industry': 'Technology',
'location': 'Global',
'name': 'Google Chrome',
'type': 'Web Browser'},
{'customers_affected': 'All users of Chromium-based '
'browsers',
'industry': 'Technology',
'location': 'Global',
'name': 'Microsoft Edge',
'type': 'Web Browser'},
{'customers_affected': 'All users of Chromium-based '
'browsers',
'industry': 'Technology',
'location': 'Global',
'name': 'Brave',
'type': 'Web Browser'},
{'customers_affected': 'All users of Chromium-based '
'browsers',
'industry': 'Technology',
'location': 'Global',
'name': 'Opera',
'type': 'Web Browser'},
{'customers_affected': 'All users of Chromium-based '
'browsers',
'industry': 'Technology',
'location': 'Global',
'name': 'Vivaldi',
'type': 'Web Browser'},
{'customers_affected': 'All users of Chromium-based '
'browsers',
'industry': 'Technology',
'location': 'Global',
'name': 'Arc',
'type': 'Web Browser'}],
'attack_vector': 'Malicious webpage exploiting Service Worker',
'date_detected': '2022-12',
'date_publicly_disclosed': '2024-05-20',
'description': 'Google accidentally leaked details of an unfixed '
'vulnerability in Chromium that allows JavaScript to run '
'persistently in the background even after the browser is '
'closed, enabling remote code execution (RCE) on affected '
'devices. The flaw, reported by security researcher Lyra '
'Rebane in December 2022, was initially acknowledged but '
'remains unresolved despite multiple attempts to patch it. The '
'vulnerability stems from a malicious webpage exploiting a '
'Service Worker to maintain active JavaScript execution. '
'Attackers could use this to turn browsers into unwitting '
'participants in a botnet, capable of launching DDoS attacks, '
'proxying malicious traffic, or redirecting users to targeted '
'sites. Rebane demonstrated that the exploit could silently '
'persist in Microsoft Edge without triggering download '
'prompts, making it harder to detect.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'unresolved vulnerability leak',
'operational_impact': 'Browsers turned into botnet participants '
'for DDoS attacks, malicious traffic '
'proxying, or user redirection',
'systems_affected': 'Chromium-based browsers (Google Chrome, '
'Microsoft Edge, Brave, Opera, Vivaldi, Arc)'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'root_causes': 'Incomplete patching of Service '
'Worker vulnerability in Chromium'},
'references': [{'source': 'Security researcher Lyra Rebane'},
{'source': 'Google Vulnerability Rewards Program (VRP)'}],
'response': {'remediation_measures': 'Incomplete patch released in February '
'2024; reclassified as private after '
'public leak'},
'title': 'Google’s Chromium Bug Leak Exposes Unfixed JavaScript Execution '
'Flaw',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'Unfixed JavaScript execution flaw in Chromium '
'Service Worker'}