This is not a zero day. The 0.0.0.0 bypass has been documented for a while now[1], including PNA bypass[2].<p>[1] <a href="https://github.com/nccgroup/singularity/wiki/Protection-Bypasses">https://github.com/nccgroup/singularity/wiki/Protection-Bypa...</a><p>[2] <a href="https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/" rel="nofollow">https://research.nccgroup.com/2023/04/27/state-of-dns-rebind...</a>
As someone who runs nginx locally for web development, this is scary. One mitigation I can think of is to use this config for you Mac's local nginx:<p><pre><code> server {
listen 80 default_server;
server_name _; # some invalid name that won't match anything
return 444;
}
</code></pre>
And do the same thing for server_name localhost. For actual apps you are building, use a server_name like myapp.local rather than localhost. (edit: formatting)
The post includes some good remediation advice for application developers at the end.<p>As a user, an already available mitigation step is using uBlock Origin and enabling the prebundled "Block Outsider Intrusion into LAN" list. It's been an option for years and protects against this very vector (including 0.0.0.0).<p>That should give you an idea of how novel this finding is, BTW.