Verification and Classification of Exploits for Node.js Vulnerabilities (ASE 2025 - Student Research Competition)

Sun 16 - Thu 20 November 2025 Seoul, South Korea

Track

ASE 2025 Student Research Competition

This program is tentative and subject to change.

Time Zone

The program is currently displayed in (GMT+09:00) Seoul.

Use conference time zone: (GMT+09:00) SeoulSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Wed 19 Nov 2025 12:00 - 12:15 at Grand Hall 6 - Student Research Competition Presentations

Abstract

Vulnerabilities in the Node.js ecosystem pose serious security threats. Generating exploits for such vulnerabilities is a critical and essential step for fixing the vulnerabilities and understanding attack vectors. To address this need, prior work has proposed a range of methods, including static analysis approaches, dynamic analysis approaches, and LLM-based techniques. However, most studies verify only at the end of execution whether the expected effect of each vulnerability has occurred. This approach does not confirm whether the exploit actually reaches the target vulnerable sinks. As a result, it may fail to exercise the intended vulnerability or inadvertently trigger a different sink. In this study, we propose a method for validating and classifying exploits related to Node.js vulnerabilities. Our method instruments sink APIs and related objects prior to execution to capture sink APIs calls and their arguments when a sink is triggered at runtime. This lets us verify that an exploit reaches the intended sink and classify exploits by the point at which the sink is triggered.