Exploit and mini writeup for CVE-2025-5419.
github.com/mistymntncop...

Thank you :) !! Alot of ppl will appreciate it for sure.

Could you please leave the sold items up for a week so that us latecomers can see the full list of items sold for that week :) ? 🙏

My writeup for CVE-2024-7971. Just a POC. Let me know if u have any questions.
github.com/mistymntncop...

CVE-2024-0519 notes GitHub Gist: instantly share code, notes, and snippets.

CVE Cold Case. Isn't it crazy that even after a year we basically know nothing about the V8 ITW CVE-2024-0519. How is the property fast deletion path useful? Some minor notes about it here:
gist.github.com/mistymntncop...

Congrats Ben and Alex :). So what v8 CVE was it :) ?

Huak Tuah's influence on the culture is immeasurable 😔

AsyncFreeSnowWhite - a Disney story.

In Spidermonkey is there a way of immediately creating an object on the Tenured heap without having to send it their via gc ?

Funily enough Glazunov posted a very similar issue but i completely missed that it was similiar to CVE-2023-2033. packetstormsecurity.com/files/173131...

Before its public release my attempt at reversing CVE-2023-2033 was a failure. I got close in that i identified there was some difference in behavior between AccessorInfo and AccessorPair but I got lost. I didn't realize that you had to exploit re-entrancy

CVE-2024-0519 is the vuln that got away. The swiftness of the patch has resisted attempts at reversing it so far. We know you can create a object where unused property fields = 0 but in reality it is bigger. This is known in the comments. However doesnt seem useful. What is the initial primitive ?

GitHub - TheN00bBuilder/cve-2024-11477-writeup: CVE-2024-11477 7Zip Code Execution Writeup and Analysis CVE-2024-11477 7Zip Code Execution Writeup and Analysis - TheN00bBuilder/cve-2024-11477-writeup

Spent some time researching #CVE-2024-11477, the new #7zip CVE and made a writeup about my work on it. Let me know what you think! github.com/TheN00bBuild...

On 01 Jul 2024 the "mOwnerWindow" fields from GlobalTeardownObserver was removed. mozilla::dom::Animation inherits from GlobalTeardownObserver. This is important as it will affect the size of Animation and offset of the write.
hg.mozilla.org/mozilla-cent...

Indeed the Promise will be resolved at the end of the nsAutoMicroTask scope. While the setTimeout callback will be run when the event loop is pumped next. So the promise resolution seems better to me as its earlier.

Re: The ITW CVE-2024-9680 exploit. I don't understand the purpose of the XSLT stuff. Doesn't really seem necessary ? Or We're they using it as an alloc primitive ?

Re: CVE-2024-9680 - the use of setTimeout to call "getInfo" is an odd choice. Wouldn't just using the promise resolution itself be better ?

As we suspected the ITW exploit for CVE-2024-9680 was definitely inspired by CVE-2022-0609. Just look at the variable names and other choices - such as creating a Animation object via "animate" function instead of constructor, he check for "if (this.toString() == "[object Animation]")" too.

RomCom exploits Firefox and Windows zero days in the wild ESET Research details the analysis of a previously unknown vulnerability in Mozilla products exploited in the wild and another previously unknown Microsoft Windows vulnerability, combined in a zero-cl...

ESET's writeup on the latest ITW Firefox 0day
www.welivesecurity.com/en/eset-rese...

It's earily similar to CVE-2022-0609 which was exploited ITW by North Korea :S.
issues.chromium.org/issues/40058...

Dimitri Fourny's writeup on the latest Firefox ITW vuln CVE-2024-9680. A good old fashioned "I can free this thing in a callback UAF" - not as common in these modern type confusion dayze.
dimitrifourny.github.io/2024/11/14/f...

www.youtube.com/watch?v=W1LB...