Vue After Free: New Userland Exploit Discovered for PlayStation 4
In a significant development for the PlayStation 4 homebrew and jailbreak community, security researcher TheFlow has unveiled “Vue After Free,” a novel userland exploit targeting the PS4’s WebKit engine. This exploit leverages a use-after-free vulnerability in the Vue.js framework, which is integrated into Sony’s web-based applications on the console. Announced via the developer’s Twitter account, the exploit marks a breakthrough in userland access for newer firmware versions, extending possibilities for custom firmware installation and homebrew execution without kernel-level privileges.
The discovery stems from TheFlow’s ongoing analysis of PS4 firmware updates, particularly focusing on firmware 12.02, which remains a critical target due to its widespread adoption among users reluctant to update to patched versions. Unlike previous exploits such as the well-known WebKit vulnerabilities exploited in earlier jailbreaks, Vue After Free exploits a flaw in Vue.js version 2.6.14, as embedded in the PS4’s libSceVueJS library. This library handles JavaScript rendering for system menus and web interfaces, making it an attractive vector for remote code execution.
At its core, the vulnerability is a classic use-after-free (UAF) bug. During Vue.js template compilation, an object responsible for managing reactive data structures is freed prematurely while a reference to it persists in the application’s memory. Subsequent access to this dangling pointer allows attackers to corrupt heap memory, enabling arbitrary read and write primitives. TheFlow detailed the root cause: in the compile function of Vue’s template parser, a Dep object—used for dependency tracking—is released via Dep.prototype.removeSub before all references are cleared. This leads to a double-free scenario when the object is accessed later during rendering.
Exploitation proceeds in stages. First, the payload is delivered via a malicious webpage hosted on a local server, accessed through the PS4’s browser or a system applet that loads Vue.js content. The initial UAF triggers a controlled memory corruption, leaking heap addresses to bypass Address Space Layout Randomization (ASLR). With leak primitives established, the exploit crafts a fake object to hijack the JavaScript engine’s just-in-time (JIT) compiler, achieving code execution in the WebKit sandbox.
From there, the chain escalates to ROP (Return-Oriented Programming) gadgets within WebKit modules, culminating in shellcode injection. The shellcode sets up a socket connection back to the attacker’s machine, invoking the sceKernelLoadStartModule syscall indirectly through userland APIs. This grants access to the libkernel_web.so library, where further primitives unlock full userland control. Notably, the exploit stabilizes with a 99% success rate on firmware 12.02, as reported by TheFlow, thanks to meticulous infoleak handling and heap grooming.
Firmware compatibility is a standout feature. Vue After Free functions reliably on all PS4 firmwares from 9.00 up to 12.02 inclusive. It fails on 12.50 and later due to Sony’s patches to the Vue.js integration in firmware 12.50. This broad support revitalizes older consoles stuck on intermediate firmwares, where kernel exploits like the PPPwn or MMIO variants were incompatible. Users on 11.00 or below can chain it with existing kernel exploits for full CFW (Custom Firmware) like GoldHEN, while those on 12.00-12.02 gain userland entry as a stepping stone for future kernel developments.
The technical write-up, shared by TheFlow on GitHub, includes a full proof-of-concept (PoC) with HTML/JS source, server scripts for hosting, and detailed crash logs. The repository emphasizes ethical use, urging developers to target only owned consoles. Early adopters in the scene have already ported it to Spectrum, the popular multi-exploit browser extension, simplifying deployment via QR code scanning.
This exploit underscores persistent weaknesses in Sony’s WebKit deployment despite regular updates. Vue.js, chosen for its lightweight reactivity, inadvertently introduced enterprise-grade vulnerabilities into a gaming console context. Historical parallels exist with prior WebKit UAFs, but Vue After Free’s novelty lies in targeting a third-party framework rarely scrutinized in console pentesting.
For developers, the PoC serves as an educational resource on modern JavaScript exploitation. Heap feng shui techniques, such as spraying objects to control UAF targets, mirror browser hacking trends. Mitigation strategies for Sony include stricter object lifetime management in Vue.js and sandbox hardening, though retrospective patches limit impact.
The PS4 scene benefits immensely, with renewed momentum for 12.02 jailbreaks. Community figures like SpecterDev and abc have praised the work, hinting at kernel exploit pairings. As the console enters its tenth year, exploits like this sustain its longevity against Sony’s shift to PS5.
In summary, Vue After Free represents a pinnacle of userland exploitation ingenuity, blending deep framework knowledge with practical engineering. It empowers users to unlock their PS4’s potential, fostering innovation in emulation, retro gaming, and custom applications.
Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.
What are your thoughts on this? I’d love to hear about your own experiences in the comments below.