The search for vulnerabilities on the PlayStation 5 console continues unabated with new discoveries related to the Netflix app, which could become a potentially exploitable userland vector for future jailbreaks.

After the exploit discovered on YouTube, the scene’s attention is focused on Netflix, an app that uses modern web frameworks and engines based on WebKit or Chromium, and therefore presents a particularly large attack surface.

Interest is now sparked by the open-source tool Netflix-JS-Inject, which is capable of executing custom JavaScript code by exploiting anomalous app behavior during connection errors.

While not yet a true exploit, it represents a promising proof-of-concept, capable of opening new perspectives for the analysis of userland vulnerabilities.

Two vulnerabilities in the V8 engine, CVE-2024-4701 and CVE-2021-38003, are at the center of the discussion. The first allows heap corruption via manipulated HTML, while the second—considered more stable and proven—can lead to remote code execution through improper implementation in V8.

The latter, considered the most reliable by experts and supported by numerous public proof-of-concepts, integrates seamlessly with the Netflix-JS-Inject approach, potentially allowing code execution within the app sandbox.

Recent tests have confirmed that the tool works on PlayStation 5 consoles running firmware up to version 9.00, with promising results also on PS4.

Requirements

To use the tool, you need Python (to run mitmproxy) and mitmproxy itself. The test PC must have git and Python with pip installed, and the PC must be reachable from the PS5 on the same local network.

Quick proxy installation and startup

To install mitmproxy and clone the repository, run these commands on your PC:

# installa mitmproxy
pip install mitmproxy

# clona la repository del progetto
git clone https://github.com/earthonion/Netflix-PS4-JS-Inject/
cd Netflix-PS4-JS-Inject

# avvia mitmproxy con lo script fornito (proxy.py)
mitmproxy -s proxy.py

The scriptproxy.pyintercepts requests fromlocalhostthe Netflix app and responds with content wheninject.jsthe error stream is active.

Network configuration on the PS5 (setting up the proxy)

• On the PS5, go to Settings → Network → Set up Internet connection and choose your connection type (Wi-Fi or LAN).
• Proceed with the automatic configuration for DNS and MTU, but when asked about the Proxy Server select “Use” and enter the IP address of the PC (the one where mitmproxy is running) and the port8080.
• Save your settings and, when prompted, test your connection — you may need to confirm or repeat the test while the proxy is active.
• Make sure your PC is actually reachable at the IP address you specify (same subnet, no VLANs or client-to-client isolation on your Wi-Fi network).

Running the procedure on PS5 / Netflix

• Open the Netflix app on your PS5 and force the error condition that triggers fallback to localhost(commonly the UI-800 error is the flow used in PoCs).
• If the injection is successful, the error will be loaded from the WebView and its contents inject.jswill be executed.
• Depending on the payload inserted, the app may display a simplealert()test, or the payload may attempt to exploit a known CVE in the V8 engine; however, be careful: complex payloads can cause the app to crash immediately or freeze.

Suggested payload and initial tests

To start safely, first test with a harmless payload that confirms execution, such as a .exealertor a simple write to the DOM. Only after verifying that the injection works can you move on to more advanced tests, always maintaining responsibility and limiting yourself to your own devices.

Technical limitations and points of attention

This technique works in the userland within the app’s WebView and does not bypass the kernel; to achieve a full jailbreak, you need to chain an RCE userland with a kernel vulnerability.

Additionally, the behavior is highly dependent on the PS5 firmware, the Netflix app version , and the V8 libraries included in WebView: some older CVEs (e.g. CVE-2021-38003) are more reliable in tested contexts, while CVE-2024-4701 is newer but less mature for full chains.

After the injection, the app may crash, and Netflix or Sony may apply quick patches, so experimental results do not imply a stable or safe technique over time.

Source: Github.com