## https://sploitus.com/exploit?id=75FF06D4-F535-5975-9365-D087FF6B4847
# Chromium IndexedDB Use-After-Free RCE Vulnerability (CVE-2025-11460)
> **โ ๏ธ Educational Purposes Only**
## Overview
This vulnerability allowed a **remote attacker** (via a malicious webpage) to achieve **arbitrary code execution** in an unsandboxed browser process by exploiting a use-after-free in IndexedDB's database connection management during forced database closure.
## Root Cause
When `Database::ForceCloseAndRunTasks()` is called:
1. `force_closing_` flag is set to `true`
2. All existing connections are cleared
3. A task is queued via `BucketContext::QueueRunTasks()` to eventually destroy the `Database` object
However, **new connection requests** arriving in the narrow window *after* queuing destruction but *before* the actual `RunTasks()` execution were still accepted:
- `Database::CreateConnection()` did **not** check `force_closing_`
- During force-close, `ConnectionClosed()` callbacks were skipped โ freed `Connection` objects remained referenced in `connections_`
- Later, `Database::RunTasks()` iterated over the stale `connections_` list โ **heap use-after-free**
This occurred in the **non-sandboxed** browser process (via Mojo IPC from a compromised renderer), making exploitation particularly dangerous.
## Step to Reproduce
1. `python disable_aslr.py ` to generate chrome.noaslr.exe - generate step only works on Windows
2. `python copy_mojo_js_bindings.py ` and copy the generated files to the PoC folder.
3. `python -m http.server 1337` in the PoC folder with mojo and unzipped files.
4. `chrome.noaslr.exe --incognito "http://localhost:1337" --enable-blink-features=MojoJS`
5. You can copy the URL once the PoC is initialized (both ready) and use it the next time you load the PoC to speed up its startup.
6. start -> spray -> exploit in the web ui.
7. You should see a cmd and a calc pop up if nothing went wrong. (even with CFG enabled)
## PoC
https://github.com/user-attachments/assets/b0e33b11-1beb-4505-9986-7c3d7bfb98ad