Type Confusion in V8 in Google Chrome

This repository contains a proof-of-concept (POC) exploit for CVE-2025-6554, targeting the Google V8 JavaScript engine. The main file, CVE-2025-6554.js, demonstrates advanced exploitation techniques by constructing JavaScript primitives (addrof, fakeobj) that allow arbitrary memory read and write operations within the V8 engine. The exploit leverages V8's optimization and object handling mechanisms to corrupt memory and gain these powerful primitives. The README provides detailed instructions for running the exploit, including the need to use the d8 shell with the --allow-natives-syntax flag, and references to further technical analysis and acknowledgments. The exploit is a POC and does not include a weaponized payload, but it provides the necessary building blocks for further exploitation, such as sandbox escape or arbitrary code execution. No network endpoints are involved; the attack vector is local, requiring the ability to execute JavaScript in a vulnerable V8 environment.

This repository contains a proof-of-concept exploit for CVE-2025-6554, a vulnerability in the V8 JavaScript engine. The main file, 'CVE-2025-6554.js', demonstrates how to achieve powerful JavaScript exploitation primitives: 'addrof' (get the address of a JavaScript object), 'fakeobj' (create a fake JavaScript object at a controlled address), and arbitrary 64-bit read/write. These primitives are essential for further exploitation, such as escaping the V8 sandbox or achieving remote code execution in contexts where V8 is embedded (e.g., Chrome). The exploit leverages V8's internal optimization and type confusion bugs, as evidenced by the use of '%PrepareFunctionForOptimization' and related V8-specific syntax. The README provides context, references, and reproduction instructions, specifying the need for a particular V8 commit and the d8 shell with native syntax enabled. No network or external endpoints are referenced in the code; the exploit is purely local and targets the V8 engine's memory model.

This repository is a proof-of-concept (PoC) for CVE-2025-6554, a critical vulnerability in the V8 JavaScript engine (used in Chrome, Node.js, and other platforms). The vulnerability involves a flaw in the Temporal Dead Zone (TDZ) check when using the optional chaining operator (?.), allowing access to uninitialized variables and potentially leaking the internal 'hole' value. This can be used as a primitive for further exploitation, such as type confusion or memory disclosure. The repository contains the following files: - Exploit.js: The main exploit code, demonstrating the TDZ bypass and memory leak primitive. It uses V8-specific debug functions to print the leaked value. - Test-Exploit.js: A variant of the exploit with error handling and output for easier testing in Node.js or V8 debug builds. - poc.html: An HTML file for browser-based testing of the vulnerability, with a UI to run the exploit and display results. - README.md: Detailed documentation in Chinese, including technical background, usage instructions, and mitigation advice. - package.json: Project metadata and scripts for running and testing the exploit. - LICENSE: MIT license. The exploit can be run in a V8 debug build, Node.js, or a browser. It does not contain a weaponized payload but demonstrates the vulnerability and its impact. The code is intended for research and educational purposes only. No hardcoded IPs or C2 endpoints are present; the only endpoints are documentation and bug reporting URLs. The attack vector is both browser-based (via JavaScript in a web page) and local (via Node.js or V8 shell).

This repository contains two main JavaScript files, 'exploit.js' and 'poc.js', both targeting CVE-2025-6554, a vulnerability in the V8 JavaScript engine. The exploit is designed to be run in the d8 shell (V8's standalone runtime) built from a specific commit (609a85c2a1bd77d6f6905369f4bc4fcf34c5db09). The exploit leverages a bug in V8's optimization and type inference pipeline, specifically manipulating the handling of the 'hole' value in arrays and the removal of type guards during optimization. This allows the attacker to create a situation where array bounds can be bypassed, potentially leading to out-of-bounds access and memory corruption. The code is a proof-of-concept (POC) and does not include a weaponized payload, but demonstrates the core vulnerability and the steps required to trigger it. The repository is well-commented, referencing relevant V8 source code and providing detailed explanations of the exploitation technique. No network endpoints are present; the attack vector is local, requiring the ability to execute JavaScript in a vulnerable V8 environment.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-6554, an information disclosure vulnerability in the Google V8 JavaScript engine (version 13.8.500258). The repository contains three files: a README.md with detailed build and execution instructions for both macOS and Linux, a JavaScript PoC exploit (poc-CVE-2025-6554.js), and a shell script (v8asan.sh) to configure the V8 build with AddressSanitizer (ASAN) enabled. The exploit demonstrates how, under certain conditions, sensitive data from a JavaScript object can be leaked, indicating a flaw in V8's handling of object and array optimizations. The attack vector is local, requiring the user to build and run a custom V8 binary with ASAN. No network endpoints are involved; all actions are performed locally. The PoC is intended for researchers and developers to reproduce and analyze the vulnerability.

This repository provides a proof-of-concept (POC) exploit for CVE-2025-6554, a vulnerability in Google Chrome's V8 JavaScript engine. The exploit demonstrates how, due to inadequate temporal dead zone (TDZ) checks in V8's handling of optional chaining, an attacker can access the internal 'hole' value (the uninitialized variable sentinel) by referencing a variable before its declaration. The main exploit logic is contained in 'Exploit.js', which defines a function that uses optional chaining to bypass TDZ protections and returns the value of an uninitialized variable. The README.md provides a detailed technical explanation of the vulnerability, bytecode differences before and after the patch, and the attack flow. 'Test-Exploit.js' is a variant that wraps the exploit in a try-catch and prints the result, making it easier to observe the exploit's effect. The exploit requires a debug build of V8 and is intended for local testing and research. No remote or network endpoints are targeted; the attack vector is local, requiring the ability to execute JavaScript in a vulnerable V8 environment.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-6554. The main file, PoC.html, is a standalone HTML file containing embedded JavaScript code. The exploit attempts to demonstrate an information disclosure vulnerability by repeatedly calling a function with a crafted array and object, aiming to leak the value of a 'secret' property from a JavaScript object. If successful, the leaked secret is displayed on the page. The exploit is intended to be run in a browser environment and serves as a minimal demonstration of the underlying vulnerability. There are no hardcoded network endpoints, IP addresses, or file paths present in the code. The repository structure is simple, consisting of the PoC HTML file and a minimal README referencing the CVE.

This repository contains a proof-of-concept exploit for CVE-2025-6554, a vulnerability in the V8 JavaScript engine. The exploit demonstrates how, due to an incorrect Temporal Dead Zone (TDZ) check, the internal 'The Hole' sentinel value can be leaked into user code. The repository consists of a README.md explaining the bug and its impact, and a single JavaScript file (poc.js) that implements the exploit. The code does not target any network endpoints or external systems; it is a local exploit intended to be run in a vulnerable V8 environment. The exploit's main capability is to leak an internal engine value, which could be used as a primitive for further attacks such as type confusion or scope bypass. No fingerprintable endpoints are present in the code.