Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

The binding layer connects JavaScript appliction code and the C++ runtime. It is used by systems such as Node.js, Chrome, PDFium, and the Chrome extension system to expose APIs otherwise not implementable in JavaScript (e.g., networking, filesystem, etc.). Unfortunately, writing binding code is error-prone and bugs in this layer can often have security implications. Our papers explore this topic in more detail:

We developed static checkers to find bugs in the binding layers of Node.js, Chrome, PDFium, and the Chrome extension system. This repository contains the code that was used to confirm the bugs. Most of these bugs have been reported (see, e.g., this link). There are some Node.js crashing bugs that we've yet to report (Node.js doesn't consider these as security issues so these aren't zero-days).

We originally ran the checkers on a node version from early September 2016 and Chrome version 56.0.2915.0 (Developer build). We omit any files that have been removed (e.g., due to refactoring) from more recent versions of the runtimes (node 7.7.4 and Chrome 56.0.2924.87) to simplify the bug reporting process. Most of the node bugs can be triggered for node-chakracore as well.

We will periodically update this repository with the source for exploits we used to trigger flagged bugs and (soon) with the flagged data itself.

We developed a Safe V8 API to address the classes of bugs that arise due to the binding layer and ported node to this safe API. This API is backwards compatible (it doesn't break Node.js' tests nor the CITGM tests) and imposes little to no overhead (according to the node benchmarks).


Exploits from the Finding and Preventing Bugs in JavaScript Bindings paper






No releases published


No packages published