Exploiting the Undefined: PWNing Firefox by Settling its Promises
Tao Yan, Edouard Bochin
Hexacon 2025 · Day 1 · Main Stage
This talk, presented by Tao Yan and Edouard Bochin from Palo Alto Networks, delves into a sophisticated exploitation chain targeting a long-standing vulnerability in the Firefox JavaScript engine, SpiderMonkey. The researchers detail an **out-of-bounds write** bug present in the `Promise.allSettled` implementation since its inception in 2019, which they successfully leveraged to achieve arbitrary code execution at Pwn2Own Berlin. Their work highlights the often-overlooked complexity introduced by modern **asynchronous programming** constructs in JavaScript, turning what appears to be developer-friendly abstractions into ripe **attack surface** within browser engines.
AI review
Yan and Bochin present a legitimate, well-executed browser exploitation chain rooted in original Pwn2Own work. The research demonstrates real technical depth — taking a six-year-old, highly constrained OOB write in SpiderMonkey's Promise.allSettled implementation and escalating it through GC manipulation, UAF, type confusion, and finally Wasm RWX code execution. This is the kind of talk that separates people who actually exploit browsers from people who write blog posts about people who exploit browsers. Minor reservations around presentation polish and the demo hiccups, but the underlying…