Exploit and mini writeup for CVE-2025-5419. github.com/mistymntncop...

My writeup for CVE-2024-7971. Just a POC. Let me know if u have any questions. github.com/mistymntncop...

CVE Cold Case. Isn't it crazy that even after a year we basically know nothing about the V8 ITW CVE-2024-0519. How is the property fast deletion path useful? Some minor notes about it here: gist.github.com/mistymntncop...

AsyncFreeSnowWhite - a Disney story.

In Spidermonkey is there a way of immediately creating an object on the Tenured heap without having to send it their via gc ?

Before its public release my attempt at reversing CVE-2023-2033 was a failure. I got close in that i identified there was some difference in behavior between AccessorInfo and AccessorPair but I got lost. I didn't realize that you had to exploit re-entrancy

CVE-2024-0519 is the vuln that got away. The swiftness of the patch has resisted attempts at reversing it so far. We know you can create a object where unused property fields = 0 but in reality it is bigger. This is known in the comments. However doesnt seem useful. What is the initial primitive ?

Spent some time researching #CVE-2024-11477, the new #7zip CVE and made a writeup about my work on it. Let me know what you think! github.com/TheN00bBuild...

On 01 Jul 2024 the "mOwnerWindow" fields from GlobalTeardownObserver was removed. mozilla::dom::Animation inherits from GlobalTeardownObserver. This is important as it will affect the size of Animation and offset of the write. hg.mozilla.org/mozilla-cent...

Re: The ITW CVE-2024-9680 exploit. I don't understand the purpose of the XSLT stuff. Doesn't really seem necessary ? Or We're they using it as an alloc primitive ?

Re: CVE-2024-9680 - the use of setTimeout to call "getInfo" is an odd choice. Wouldn't just using the promise resolution itself be better ?

As we suspected the ITW exploit for CVE-2024-9680 was definitely inspired by CVE-2022-0609. Just look at the variable names and other choices - such as creating a Animation object via "animate" function instead of constructor, he check for "if (this.toString() == "[object Animation]")" too.

ESET's writeup on the latest ITW Firefox 0day www.welivesecurity.com/en/eset-rese...

Dimitri Fourny's writeup on the latest Firefox ITW vuln CVE-2024-9680. A good old fashioned "I can free this thing in a callback UAF" - not as common in these modern type confusion dayze. dimitrifourny.github.io/2024/11/14/f...