PT-2025-25452 · Undefined · Undefined

CVE-2025-46168 JSTargetFuzzer-V2 JSTargetFuzzer-v2.0 is a fuzzing approach that incorporates novel history-based guidance, using tailored seeds and custom mutation operators. It is built on top of the Fuzzilli fra... https://t.co/ioVUFu93Dp...

Fuzzilli - A JavaScript Engine Fuzzer

A coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language "FuzzIL" which can be mutated and translated to JavaScript. Usage The basic steps to use this fuzzer are: 1. Download the source code for one of the supported JavaScript engines. See the Targets/...

Announcing the Fuzzilli Research Grant Program

Posted by Samuel Groß, Project Zero Project Zero’s mission is to make 0-day hard in order to improve end-user security. We attack this problem in different ways, including supporting other security researchers. While Google currently offers research grants, they are limited to academics and those...

JSC DFG ObjectAllocationSinkingPhase Crash

JSC: DFG: ObjectAllocationSinkingPhase leaves data flow graph inconsistent While fuzzing JavaScriptCore with fuzzilli, I encountered the following simplified and commented JavaScript program which crashes jsc from current HEAD and the stable release: function v9 const v14 = ; const v15 = a: 42;...

JSC Argument Object Reconstruction Type Confusion

JSC: Type confusion during bailout when reconstructing arguments objects The following sample was found by Fuzzilli and then slightly modified. It crashes JSC in debug builds: function main const v2 = 1337,1337; const v3 = 1337,v2,v2,0; Object.proto = v3; for let v10 = 0; v10...

JavaScriptCore - GetterSetter Type Confusion During DFG Compilation Exploit

The following JavaScript program, found by Fuzzilli and slightly modified, crashes JavaScriptCore built from HEAD and the current stable release /System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc: let notAGetterSetter = whatever: 42; function v2v5 const v10 = Object; if v5 const v1...