Cybersecurity experts have identified a significant “0.0.0.0 Day” vulnerability affecting major web browsers, which malicious websites could exploit to infiltrate local networks.
This critical flaw “reveals a fundamental weakness in the way browsers manage network requests, potentially allowing attackers to gain access to sensitive services operating on local devices,” explained Avi Lumelsky, a researcher at Oligo Security.
According to the Israeli cybersecurity firm, the implications of this vulnerability are extensive, originating from inconsistent security implementations and a lack of standardization across different browsers.
Consequently, a seemingly benign IP address like 0.0.0.0 can be misused to target local services, leading to unauthorized access and remote code execution by external attackers. This vulnerability has reportedly existed since 2006.
The 0.0.0.0 Day flaw affects Google Chrome/Chromium, Mozilla Firefox, and Apple Safari, enabling external websites to interact with software running locally on MacOS and Linux. However, Windows devices are not impacted, as Microsoft blocks the IP address at the OS level.
Oligo Security found that public websites with domains ending in “.com” can interact with local network services and execute arbitrary code on the user’s machine by using the 0.0.0.0 address instead of localhost/127.0.0.1.
This issue also bypasses Private Network Access (PNA), which is designed to prevent public websites from accessing endpoints within private networks directly.
Any application running on localhost and accessible via 0.0.0.0 is at risk of remote code execution, including local Selenium Grid instances that can be targeted by sending a POST request to 0.0.0.0:4444 with a crafted payload.
In response to these findings, web browsers are expected to block access to 0.0.0.0 entirely, thereby eliminating direct access to private network endpoints from public websites.
Lumelsky noted, “When services rely on localhost, they operate under the assumption of a controlled environment. This assumption, which can be flawed as demonstrated by this vulnerability, results in insecure server configurations.”
“By combining 0.0.0.0 with ‘no-cors’ mode, attackers can exploit public domains to target services running on localhost and even achieve arbitrary code execution (RCE) with a single HTTP request.”