CVE-2025-6554

HIGH KEV

Google Chrome < 138.0.7204.96 - Type Confusion in V8

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-6554 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 2, 2025. EIP tracks 10 public exploits from researchers including mistymntncop, aklnjakln, Muhammednihalmp.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2025-6554, targeting a type confusion vulnerability in V8's TurboFan optimizer. The exploit leverages incorrect type inference to achieve arbitrary memory read/write, leading to remote code execution.

Description

Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)

Exploits (10)

github WORKING POC 41 stars
by mistymntncop · javascriptclient-side
https://github.com/mistymntncop/CVE-2025-6554

This repository contains a functional exploit PoC for CVE-2025-6554, targeting a type confusion vulnerability in V8's TurboFan optimizer. The exploit leverages incorrect type inference to achieve arbitrary memory read/write, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: V8 JavaScript Engine (Chromium-based browsers)
No auth needed
Prerequisites: V8 engine built from specific commit (609a85c2a1bd77d6f6905369f4bc4fcf34c5db09) · d8 shell with --allow-natives-syntax flag
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 30 stars
by aklnjakln · client-side
https://github.com/aklnjakln/CVE-2025-6554

This PoC exploits a type confusion vulnerability in V8 (CVE-2025-6554) to achieve arbitrary read/write primitives via corrupted array access, enabling sandbox escape. It demonstrates addressof, fakeobj, and memory manipulation techniques.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: V8 JavaScript Engine (commit 609a85c2a1bd77d6f6905369f4bc4fcf34c5db09)
No auth needed
Prerequisites: V8 engine with specific commit · Access to execute JavaScript with --allow-natives-syntax flag
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 11 stars
by Muhammednihalmp · poc
https://github.com/Muhammednihalmp/Google-chrome-zero-day

This repository is an educational writeup for a Google Chrome zero-day vulnerability (CVE-2025-6554), focusing on training materials, lab exercises, and defensive techniques. It does not contain exploit code but provides high-level analysis and mitigation guidance.

Classification
Writeup 100%
Attack Type
Other
Complexity
N/a
Reliability
N/a
Target: Google Chrome (version not specified)
No auth needed
Prerequisites: Isolated lab environment with virtualization · Debug builds of Chrome/Chromium · Analysis tools (WinDbg/gdb, procmon)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 4 stars
by jopraveen · javascriptclient-side
https://github.com/jopraveen/CVE-2025-6554

This PoC exploits a type confusion vulnerability in V8 JavaScript engine (version 13.8.258.19) to achieve arbitrary read/write primitives and execute shellcode via WebAssembly. The exploit leverages a corrupted array to manipulate object maps and gain memory access.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: V8 JavaScript Engine 13.8.258.19
No auth needed
Prerequisites: Target running V8 version 13.8.258.19 · Ability to execute arbitrary JavaScript in the target environment
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 2 stars
by PwnToday · client-side
https://github.com/PwnToday/CVE-2025-6554

This PoC exploits a V8 JavaScript engine bug (CVE-2025-6554) where a variable accessed before declaration in combination with a delete operation leaks the internal 'The Hole' sentinel value, enabling type confusion attacks.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: V8 JavaScript Engine (pre-patch versions)
No auth needed
Prerequisites: V8 engine with the unpatched vulnerability
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB 2 stars
by gmh5225 · client-side
https://github.com/gmh5225/CVE-2025-6554-2

The repository contains only a README.md file with a CVE identifier and no additional details or exploit code. It lacks any technical content or proof-of-concept implementation.

Classification
Stub 10%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by juccoblak · client-side
https://github.com/juccoblak/CVE-2025-6554

This repository contains a working proof-of-concept exploit for CVE-2025-6554, leveraging a type confusion vulnerability in V8 to achieve arbitrary read/write primitives. The exploit demonstrates memory corruption via optimized JavaScript functions and array manipulations.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: V8 JavaScript Engine (specific version not explicitly stated)
No auth needed
Prerequisites: V8 engine with specific optimizations enabled · Ability to execute arbitrary JavaScript
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ghostn4444 · infoleak
https://github.com/ghostn4444/POC-CVE-2025-6554

This PoC demonstrates a JavaScript engine vulnerability (CVE-2025-6554) in V8's bytecode generation, where a missing hole check allows leaking uninitialized values. The exploit uses the `delete` operator on a chained optional property access to trigger the issue.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: V8 JavaScript Engine (pre-patch)
No auth needed
Prerequisites: V8 engine with `--allow-natives-syntax` flag enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by LordBheem · poc
https://github.com/LordBheem/CVE-2025-6554

This PoC demonstrates a V8 JavaScript engine vulnerability (CVE-2025-6554) where improper hole checks in bytecode generation could lead to information leakage. The exploit leverages a missing `ThrowReferenceErrorIfHole` instruction in the return path, allowing access to uninitialized variables.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: V8 JavaScript Engine (pre-patch)
No auth needed
Prerequisites: V8 engine with `--allow-natives-syntax` flag enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by gmh5225 · client-side
https://github.com/gmh5225/CVE-2025-6554

This PoC demonstrates a type confusion vulnerability in V8 JavaScript engine (CVE-2025-6554) by manipulating array access to leak object properties. The exploit triggers deoptimization and memory leaks, confirming the vulnerability in V8 version 13.8.500258.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: V8 JavaScript Engine 13.8.500258
No auth needed
Prerequisites: V8 engine version 13.8.500258 · ASAN-enabled build environment · Debug symbols and tools for analysis
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.1
EPSS 0.0158
EPSS Percentile 82.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2025-07-02
VulnCheck KEV 2025-06-30
ENISA EUVD EUVD-2025-19675
CWE
CWE-843
Status published
Products (1)
google/chrome < 138.0.7204.96
Published Jun 30, 2025
KEV Added Jul 02, 2025
Tracked Since Feb 18, 2026