MediumCISA KEVExploited in the wildPublic exploit

Out-of-bounds write in Google Chrome JavaScript

IdentifiersCVE-2019-5825CWE-787· Out-of-bounds Write

CVE-2019-5825 is an out-of-bounds write vulnerability in the JavaScript engine of Google Chrome prior to version 73.0.3683.86. The provided content states that a remote attacker could trigger heap corruption via a crafted HTML page. The vulnerability was used as one of several Android Chrome browser exploits in the MOONSHINE framework, and the referenced exploit was reportedly based on exploit code published by Exodus Intelligence after identifying a Chrome JavaScript-engine flaw that had been fixed in source code before the patch had shipped broadly to users.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can corrupt the browser heap and may allow an attacker to achieve code execution in the context of the Chrome renderer or otherwise gain control over browser execution flow. In the campaign described in the content, the exploit was used as an initial browser compromise step to deliver additional Android malware components, enabling subsequent spyware installation and surveillance activity.

Mitigation

If you can’t patch tonight, do this now.

Where immediate patching is not possible, reduce exposure by restricting use of vulnerable Chrome versions on Android devices, limiting access to untrusted or attacker-controlled links, and using application/browser update enforcement through mobile device management. Because exploitation was delivered through crafted links and browser content, minimizing exposure to unsolicited links and isolating high-risk browsing activity can reduce risk until patched versions are installed.

Remediation

Patch, then assume compromise.

Upgrade Google Chrome to version 73.0.3683.86 or later. More generally, ensure Chrome and Chromium-based browsers on affected Android devices are updated promptly so that JavaScript-engine security fixes are deployed as soon as they are released.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

CVE-2019-5825MaturityPoCVerified exploit

This repository contains a working exploit for CVE-2019-5825, a vulnerability in Google Chrome's V8 JavaScript engine (version 6.9.0, as shipped with Chrome 73.0.3683.86). The exploit targets the browser in --no-sandbox mode and achieves arbitrary read/write (AARW) in the V8 heap by corrupting array lengths and object pointers via a crafted Array.map call. The main exploit logic is implemented in 'exodus.js', which demonstrates the full chain from bug trigger to shellcode execution by abusing a WebAssembly instance to obtain a RWX memory page. The shellcode is injected and executed, resulting in remote code execution. Supporting files include 'exploit.js' and 'nextline.js', which are alternative or simplified exploit scripts for the same vulnerability, and 'exploit.sh', a Bash script to automate testing on both ia32 and x64 V8 d8 shells. The repository is operational and provides a full exploit chain, including payload delivery. No network endpoints or external services are targeted; the exploit is local to the browser or JavaScript engine process. The code is well-structured, with clear separation between helper functions, exploit primitives, and payload delivery.

timwrDisclosed Nov 23, 2019javascriptbashbrowser

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

GoogleChromeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

citizenlabNews

Dec 10, 2025

Missing Link: Tibetan Groups Targeted with 1-Click Mobile Exploits - The Citizen Lab

A Google Chrome vulnerability used by POISON CARP in MOONSHINE; exploit code was publicly released before the patch had reached Chrome users.

citizenlabNews

Sep 24, 2019

Missing Link: Tibetan Groups Targeted with 1-Click Mobile Exploits

A Google Chrome vulnerability for which Exodus Intelligence published working exploit code; used by MOONSHINE against vulnerable Android Chrome versions.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2019-5825

NVD

nvd.nist.gov/vuln/detail/CVE-2019-5825

chromereleases.googleblog.com/2019/04/stable-channel-update-for-desktop_30.html

Third Party Advisory

packetstormsecurity.com/files/156641/Google-Chrome-72-73-Array.map-Corruption.html

US Government Resource

cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5825