0.0.0.0 Day: Exploiting Localhost APIs From the Browser (Oligo Security)

The Oligo Security blog https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser

a web-browser vulnerability that has been named "0.0.0.0 day".  In short,
browsers will allow JavaScript code to open connections to the all-zeroes
IPv4 address; the result is that any port that is open on the local host
can be accessed by a remote site.  "When services use localhost, they
assume a constrained environment. This assumption, which can (as in the
case of this vulnerability) be faulty, results in insecure server
implementations."

https://lwn.net/Articles/984838/