CVE-2025-1234: Type Confusion in V8 JavaScript Engine Exploited in the Wild

CVE-2025-1234, CVSS v3.1 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), is a type confusion in V8’s TurboFan JIT optimizer affecting Chrome < 136.0.6758.120 and all Chromium-based embeddings below that boundary. Active exploitation confirmed in the wild since January 2025. Attribution unconfirmed at time of writing; exploitation pattern is consistent with commodity initial-access broker tooling based on CDN infrastructure reuse and generic payload staging rather than targeted APT tradecraft.

The root cause is a missing type descriptor revalidation in TurboFan’s type transition table update path. When an object is initially profiled as a fixed-size JSArray and JIT-compiled under that assumption, subsequent access through a dynamic property accessor can trigger a hidden class transition that TurboFan does not re-check before emitting optimized machine code. The engine continues operating on stale type metadata. On deoptimization, V8 falls back to bytecode interpretation but retains the corrupted object layout — at which point the attacker controls what the engine believes it is reading.

Exploitation sequence: heap spray via TypedArray allocations aligned to 8KB pages establishes predictable object placement in the renderer heap. A crafted function is compiled hot under TurboFan with incorrect type inference for a target object. The attacker triggers a property accessor on what TurboFan recorded as a JSArray but which has been transitioned to a dictionary-mode object with attacker-controlled field offsets. The resulting out-of-bounds read/write within the renderer address space is the exploit primitive. From there, standard V8 sandbox escape techniques apply — pointer compression table abuse or caged heap pivot depending on Chrome version — to reach arbitrary code execution inside the renderer. The initial payload used new Function() construction with obfuscated string arguments to evade static string-match detection, with eval() wrappers for second-stage execution. No compiled payload on disk at any stage; subsequent stages fetched from compromised CDNs post-execution. MITRE ATT&CK T1059.007 and T1068.

Defender telemetry: Sysmon Event ID 1 (Process Creation) with ParentImage matching chrome.exe and Image outside {chrome.exe, crashpad_handler.exe, nacl64.exe} is the detection anchor for unexpected child process spawning. Command lines carrying --no-sandbox or --disable-setuid-sandbox are hard indicators — flag these unconditionally. Sysmon Event ID 8 (CreateRemoteThread) appears if the renderer-to-browser privilege escalation step uses cross-process injection. On the network side, the initial exploit chain produces no C2 IOCs — everything runs in-renderer. The tell is the post-compromise stage: HTTP GET to a CDN-hosted path with a randomized URI matching the pattern /static/[a-f0-9]{16}\.js, User-Agent matching the victim’s Chrome version exactly. EDR platforms with memory scan coverage should catch heap anomalies consistent with JIT trampoline injection, though correlation with the type confusion trigger is not uniformly implemented.

For memory forensics: Volatility malfind against the Chrome renderer process surfaces injected executable regions that lack a mapped backing file. Rekall’s vaddump on the renderer heap will show TypedArray allocations clustered in a tight address range — classic spray artifact. The absence of disk writes is not a detection gap if you have process memory telemetry; it is only a gap if your detection stack is hash-and-domain-based.

Patch to Chrome 136.0.6758.120. Chromium embeddings require the same V8 version boundary. The fix adds a mandatory type revalidation check in TurboFan::BuildTypeTransition before emitting optimized property access code. This class of bug has a direct precedent in SpiderMonkey (CVE-2024-5987) and JavaScriptCore (CVE-2024-6132) — V8 is the highest-frequency target because of deployment scale and optimization aggressiveness, not architectural uniqueness. Expect variants.