.webp)
While Windows is unaffected due to system-level restrictions, this flaw places services running on localhost at risk
Newly disclosed browser vulnerability, dubbed “0.0.0.0 Day,” could allow attackers to send malicious requests to local networks, potentially leading to remote code execution (RCE). The flaw, discovered by Oligo Security, affects all major browsers, including Google Chrome, Mozilla Firefox, Apple Safari, and Chromium-based browsers like Microsoft Edge.
The vulnerability exploits the ability of public websites to contact the 0.0.0.0 IP address, which redirects to localhost (127.0.0.1) on macOS and Linux devices. While Windows is unaffected due to system-level restrictions, this flaw places services running on localhost at risk, as many lack sufficient authentication measures. In response, browser developers are swiftly implementing fixes. Google has started deprecating 0.0.0.0 access in Chromium 128, with a complete block expected by version 133. Apple and Mozilla are also updating their respective browsers to block such requests, with Mozilla planning to incorporate Private Network Access (PNA) for added security.
Oligo Security emphasizes the need for app developers to enhance security on localhost environments, recommending the use of Cross Site Request Forgery (CSRF) tokens, HTTPS, and PNA headers. Users are advised to block redirects from 0.0.0.0, restrict local services to specific IP addresses, and keep their browsers updated to protect against potential exploitation. As browser updates roll out, staying vigilant against this critical flaw is essential for both developers and users.
.webp)
