Out-of-bounds read/write in Google Chrome V8

Repository contains a JavaScript proof-of-concept exploit for CVE-2025-5419 in Google V8 (noted as Turboshaft Store-Store Elimination leading to an uninitialized read / type confusion style primitive). The main file (CVE-2025-5419.js) sets up float/int/bigint conversion helpers using a shared ArrayBuffer, then uses GC grooming (minor_gc/major_gc) and JIT warmup of two functions (opt_leak and opt_fake_obj) to induce a mis-optimized/uninitialized read that leaks internal pointers/metadata. From the leaked values it derives key heap metadata (maps for PACKED_ELEMENTS / PACKED_DOUBLE_ELEMENTS, FixedArray/FixedDoubleArray maps, and EmptyFixedArray) and forges a fake JSArray header inside a long-lived container array. Using this forged array, it implements stable exploitation primitives: - addrof(obj): obtains the (cage) address of a JavaScript object. - fakeobj(addr): materializes a JavaScript object reference from a supplied address. - cage_read32/64 and cage_write32/64: arbitrary read/write within the V8 sandbox/cage region by indexing into the forged double-elements array. No network communication, command execution, or reverse shell payload is present; the code stops at establishing memory read/write primitives. The README claims a defensive ‘scanner/mitigation’ application and links to GitHub releases, but the actual repository content is an exploit PoC. The GN args file (StaticReleaseWithSymbol.args.gn) documents a V8 build configuration with symbols and debug/verification options, consistent with exploit development/testing.

Repository purpose: a stabilized JavaScript exploit for CVE-2025-5419 (V8 Turboshaft Store-Store Elimination leading to uninitialized read), demonstrating escalation to powerful in-engine primitives. Structure: - CVE-2025-5419.js: core exploit. It defines float/int/bigint conversion helpers (ArrayBuffer views) and GC-shaping helpers (minor_gc/major_gc). Two JIT-trained functions (opt_leak and opt_fake_obj) are repeatedly executed to trigger optimized behavior. The exploit then: - Uses GC and the optimized uninitialized read to leak internal values (maps, elements pointers) and obtain a stable address leak for a chosen container. - Fakes a JSArray with PACKED_DOUBLE_ELEMENTS by crafting a fake object header inside a surviving container array, then obtains a usable fake reference via fake(). - Builds “cage” read/write primitives (cage_read32/64, cage_write32/64) by indexing into the faked double-elements array, effectively turning element access into arbitrary memory access within the V8 sandbox/cage region. - Implements stable addrof(obj) and fakeobj(addr) by switching the faked array’s map between PACKED_ELEMENTS and PACKED_DOUBLE_ELEMENTS and using the shared backing storage to reinterpret object pointers as doubles. - Includes validation checks to ensure expected GC/layout behavior. - README.md: explains the bug class, environment (Ubuntu 24.04) and target V8 commit, and provides references. - StaticReleaseWithSymbol.args.gn: GN args for building a release V8 with symbols and debugging aids. No network I/O, C2, or external callbacks are present; the exploit is a local engine PoC intended to be run in a vulnerable V8/d8 build to obtain in-sandbox arbitrary read/write and object/pointer primitives (not a full sandbox escape or OS-level RCE by itself).

This repository contains a proof-of-concept exploit for CVE-2025-5419, a vulnerability in the V8 JavaScript engine's StoreStoreEliminationReducer optimization. The exploit is implemented in a single JavaScript file ('exploit.js') and is intended to be run in a custom-built, vulnerable version of the V8 shell (d8). The README is minimal, only stating the CVE identifier. The exploit leverages a bug in the handling of indexed loads and stores, allowing the removal of necessary array initialization stores, which leads to the ability to read uninitialized memory. This primitive is then escalated to achieve arbitrary memory read and write within the V8 process, potentially allowing for further exploitation such as sandbox escape. The exploit requires specific build steps and configuration, including patching a V8 source file for debug builds. The code references relevant V8 source and patch URLs for context. No network endpoints are present; all exploitation occurs locally within the V8 process.

This repository contains a proof-of-concept (POC) exploit for CVE-2025-5419, a bug in the V8 JavaScript engine's Store-Store-Elimination optimization. The main file, POC.html, is a standalone HTML file with embedded JavaScript. The script repeatedly executes a function that performs a dynamic property load and store on an object, mimicking the pattern that triggers the buggy optimization in affected V8 versions. After warming up the JIT, it alerts the result, which may be a correct value, a garbage value, or cause a crash if the bug is present. The README.md simply identifies the CVE. There are no network endpoints or external resources; the exploit is entirely self-contained and must be run in a browser with a vulnerable V8 engine. The purpose of the repository is to demonstrate the presence and effect of the bug, not to provide a weaponized or post-exploitation payload.