As part of our research into JavaScript Engines, we’ve collated a set of V8 vulnerability PoCs. These may be useful for studying common trends and bug styles, in addition to importing these PoCs into your fuzzing corpus.

Three sources were used to gather the dataset:

  • In-line PoC payloads on public V8 bug reports.
  • Attachments on V8 bug reports.
  • If there is no PoC available uploaded to the bug report, we have found the added regress/stress testcase in the V8 codebase associated with the bug report.

The following Chromium Bug Tracker search queries were useful in finding vulnerabilities that may contain PoCs:

Find Bug Reports with In-line PoC Payloads:

component:Blink>JavaScript  (status:Verified OR status:Fixed) label:Security_Severity -label:Security_Severity-Low ("function" OR "main()" OR "var " OR "v1 " OR "proto")

Find Bug Reports with PoC Attachments, or Links to External PoCs:

component:Blink>JavaScript  (status:Verified OR status:Fixed) label:Security_Severity -label:Security_Severity-Low ".js"

Using this approach, we have managed to gather a large set of PoCs from both external researchers as well as Clusterfuzz.

Note: This is not an exhaustive list, we have ignored duplicates and low severity bugs, additionally, there are likely bugs that we have missed.