The fix for CVE-2022-32212, covered the cases for routable IP addresses, however, there exists a specific behavior on macOS devices when handling the http://0.0.0.0
URL that allows an attacker-controlled DNS server to bypass the DNS rebinding protection by resolving hosts in the .local
domain.
Attacker with access to a compromised DNS server or the ability to spoof its responses can gain access to the Node.js debugger, which can result in remote code execution.