Skip to content

Exploits from the Finding and Preventing Bugs in JavaScript Bindings paper

Notifications You must be signed in to change notification settings


Folders and files

Last commit message
Last commit date

Latest commit



4 Commits

Repository files navigation

The binding layer connects JavaScript appliction code and the C++ runtime. It is used by systems such as Node.js, Chrome, PDFium, and the Chrome extension system to expose APIs otherwise not implementable in JavaScript (e.g., networking, filesystem, etc.). Unfortunately, writing binding code is error-prone and bugs in this layer can often have security implications. Our papers explore this topic in more detail:

We developed static checkers to find bugs in the binding layers of Node.js, Chrome, PDFium, and the Chrome extension system. This repository contains the code that was used to confirm the bugs. Most of these bugs have been reported (see, e.g., this link). There are some Node.js crashing bugs that we've yet to report (Node.js doesn't consider these as security issues so these aren't zero-days).

We originally ran the checkers on a node version from early September 2016 and Chrome version 56.0.2915.0 (Developer build). We omit any files that have been removed (e.g., due to refactoring) from more recent versions of the runtimes (node 7.7.4 and Chrome 56.0.2924.87) to simplify the bug reporting process. Most of the node bugs can be triggered for node-chakracore as well.

We will periodically update this repository with the source for exploits we used to trigger flagged bugs and (soon) with the flagged data itself.

We developed a Safe V8 API to address the classes of bugs that arise due to the binding layer and ported node to this safe API. This API is backwards compatible (it doesn't break Node.js' tests nor the CITGM tests) and imposes little to no overhead (according to the node benchmarks).


Exploits from the Finding and Preventing Bugs in JavaScript Bindings paper






No releases published