author: @buptsb, @mistymntncop
2024-08-30 10:23:02

https://x.com/mistymntncop/status/1829127856389271818

Info

https://chromium-review.googlesource.com/c/v8/v8/+/5553030
[parser] Using FunctionParsingScope for parsing class static blocks
Class static blocks contain statements, don't inherit the ExpressionScope stack.

https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html
[N/A][341663589] High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20
Google is aware that an exploit for CVE-2024-5274 exists in the wild.

https://v8.dev/blog/understanding-ecmascript-part-4#the-very-permissive-new-symbol%3A-cpeaapl
https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-4262.html

PoC

https://github.com/mistymntncop/CVE-2024-5274/blob/main/exploit.js