This repository contains

• This repository constructed and proved the addressof and fakeobj primitives, as well as the arbitrary address read/write primitives in V8 sandbox.

• Commit: 609a85c2a1bd77d6f6905369f4bc4fcf34c5db09

• Command Line: out\x64.release\d8 --allow-natives-syntax

• Shoutout to @DarkNavyOrg for finding the poc.
• Shoutout to qianxin for writing a detailed analysis about this bug.
• Shoutout to mistymntncop for finding the exploit method.
• Shoutout to @bjrjk for helping.

1. https://zhuanlan.zhihu.com/p/1933101353829381194
2. https://chromium.googlesource.com/v8/v8.git/+/22e9d9621de58ec6fe6581b56215059a48451b9f%5E%21/#F0
3. https://github.com/mistymntncop/CVE-2025-6554/blob/main/exploit.js

This repository is intended solely for educational purposes and must not be used for any malicious activities.