Type Confusion in WebAssembly in Google Chrome

Small repository containing a README and a single JavaScript PoC. The code targets a Google Chrome/V8 WebAssembly garbage-collection type confusion issue affecting Chrome 123 and earlier. The PoC uses WasmModuleBuilder helpers to create 1,000,000 additional canonicalized types, causing canonical type IDs to wrap/truncate into the 20-bit ValueType representation. It then crafts a struct type intended to alias with kAny, defines a WASM function that performs struct.get on its argument, and calls that function with a plain JS value (0). According to the comments, this bypasses expected JS-to-WASM type validation and results in invalid memory access / segfault-like behavior, demonstrating arbitrary WASM type confusion. The README goes beyond the included code and outlines a full exploitation chain: initial JS-to-WASM type confusion, PartitionAlloc metadata abuse to leak chrome.dll and gain arbitrary write, and eventual CodePointerTable hijack for ROP/shellcode execution. However, the repository itself only contains a proof-of-concept demonstrating the primitive, not a full weaponized RCE exploit. No network communication, C2, or remote endpoints are present in the code.

This repository is a proof-of-concept exploit for CVE-2024-2887, a vulnerability in Google's V8 JavaScript engine related to WebAssembly GC support. The repository contains a GitHub Actions workflow to automate building a vulnerable version of V8 and its dependencies, and a Python script ('test_wasm_exploit.py') that serves as the main exploit harness. The script generates WebAssembly text modules (.wat) with a large number of struct types, compiles them to binary (.wasm) using 'wat2wasm', and executes them via a JavaScript harness using the d8 binary. The script iteratively increases the number of struct types to find the threshold at which the bug/crash is triggered, indicating the presence of the vulnerability. The exploit is local and requires the user to build and run V8 with specific options. No network endpoints are involved; all operations are performed on local files and binaries. The repository is structured for easy reproduction and testing of the vulnerability, with clear automation for environment setup and execution.

This repository contains a proof-of-concept (POC) exploit for CVE-2024-2887, a type confusion vulnerability in Google Chrome's WebAssembly (WASM) implementation. The repository consists of two files: a README.md providing context and references, and poc.js, which contains the exploit code. The JavaScript code in poc.js constructs a large number of WASM types and deliberately confuses type indexes, ultimately triggering a type confusion bug. This can lead to arbitrary code execution or a browser crash if run in a vulnerable version of Chrome. The exploit is intended for research and educational purposes and should be executed in a safe, isolated environment. No network or file system endpoints are hardcoded in the exploit; it is purely a browser-based attack vector targeting Chrome's WASM engine.