The critical vulnerability 'exposes a fundamental flaw in how browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices.' - Avi Lumelsky, Oligo Security.
Oligo Security found that public websites using domains ending in '.com' can communicate with local network services by exploiting the 0.0.0.0 address instead of localhost/127.0.0.1.
Any application reachable via 0.0.0.0 on localhost is at risk of remote code execution, including Selenium Grid instances by sending a POST request to 0.0.0.0:4444 with a crafted payload.
Web browsers are expected to block access to 0.0.0.0 in response to the vulnerability, aiming to prevent unauthorized access and remote code execution by malicious actors.
[
Collection
]
[
|
...
]