Photo
Jianjia Yu

Ph.D Student

Johns Hopkins University

Email

Research Insterests: Web Security, System Security, Program Analysis

Linkedin | Google Scholar | Github | Resume | CV

I am final-year Ph.D Student in Computer Science at Johns Hopkins University , advised by Prof. Yinzhi Cao. My research focuses on security and privacy in web and mobile applications, using traditional program analysis and LLM techniques, that reason across complex architectures spanning multiple execution layers, language boundaries, and trust domains. I have received two Distinguished Paper Awards (IEEE S&P 2025 and ACM CCS 2023) and a Best Paper Honorable Mention (USENIX Security 2025). My work has resulted in 30+ CVEs, including widely used libraries and applications maintained by Google and Microsoft, as well as bug bounties from Meta, Vercel, and ByteDance. Before joining JHU, I obtained my bachelor's degree at Computer Science Department of Zhejiang University in 2020, where I was a member of ACEE, Chu Kochen College .

News

  • Feb. 2026 β€” Our JHU team Jay'lBreak was selected in the Amazon Nova AI Challenge 2026, with $250,000 award.
  • Oct. 2025 β€” Our paper "The First Large-Scale Systematic Study of Python Class Pollution Vulnerability" will appear at IEEE S&P 2026.
  • Aug. 2025 β€” Gave a talk on DOM clobbering at DEF CON 33.
  • May 2025 β€” Our paper "Follow My Flow" received Distinguished Paper Award at IEEE S&P 2025.

Publications

The First Large-Scale Systematic Study of Python Class Pollution Vulnerability
Zhengyu Liu, Jiacheng Zhong, Jianjia Yu, Muxi Lyu, Zifeng Kang, and Yinzhi Cao
[S&P 2026 (To appear) ] Paper | Slides | Poster

The DOMino Effect: Detecting and Exploiting DOM Clobbering Gadgets via Concolic Execution with Symbolic DOM
πŸ† Honorable Mention (6% of accepcted papers)
Artifact Badges: Available, Functional, Results Reproduced
Zhengyu Liu, Theo Lee, Jianjia Yu, Zifeng Kang, and Yinzhi Cao
[Security 2025] Paper | Slides | Poster

Follow My Flow: Unveiling Client-Side Prototype Pollution Gadgets from One Million Real-World Websites
πŸ† Distinguished Paper Award
Zifeng Kang, Muxi Lyu, Zhengyu Liu, Jianjia Yu, Runqi Fan, Song Li, and Yinzhi Cao
[S&P 2025] Paper

RogueOne: Detecting Rogue Updates via Differential Data-flow Analysis Using Trust Domains
Raphael J. Sofaer, Yaniv David, Mingqing Kang, Jianjia Yu, Yinzhi Cao, Junfeng Yang, and Jason Nieh
[ICSE 2024] Paper

CoCo: Efficient Browser Extension Vulnerability Detection via Coverage-guided, Concurrent Abstract Interpretation
πŸ† Distinguished Paper Award
Jianjia Yu, Song Li, Junmin Zhu, and Yinzhi Cao
[CCS 2023] Paper | Code

MiniTaintDev: Unveiling Mini-App Vulnerabilities through Dynamic Taint Analysis
Jianjia Yu, Zifeng Kang, and Yinzhi Cao
[ACM Workshop on Secure and Trustworthy Superapps (SaTS) 2023] Paper

Rendering Contention Channel Made Practical in Web Browsers
Shujiang Wu, Jianjia Yu , Min Yang, and Yinzhi Cao
[Security 2022] Paper

Preprints

Time for LaunchBreak: Detecting and Exploiting Custom URI Launch Vulnerabilities in Electron Applications via Segmented Fuzzing
Jianjia Yu, Zhengyu Liu, Ziyang Li, Yu Sun, and Yinzhi Cao
Discovered 18 zero-day vulnerabilities in popular projects (50k+ stars); received 13 acknowledgments, 11 fixes, 10 CVEs, and Vercel bug bounty.

Minnie: User Privacy Leak Detection for WeChat Miniapps via Holistic Dynamic Taint Analysis with Concolic Execution
Jianjia Yu, Zhengyu Liu, Penghui Li, Zhihan Xia, Zifeng Kang, Junfeng Yang, and Yinzhi Cao
Uncovered 2,955 privacy leaks across 412 miniapps, affecting over four million WeChat users.

Talks

The DOMino Effect: Detecting and Exploiting DOM Clobbering Gadgets via Concolic Execution with Symbolic DOM

Abstraction, Exploration, and Validation: Systematic Vulnerability Detection Across Heterogeneous Software Systems
Invited guest lecture, Pennsylvania State University

Professional Services

Program Committee
• Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb 2025)
• The Annual Computer Security Applications Conference (ACSAC 2025)

Reviewer
• The IEEE Transactions on Information Forensics and Security (IEEE T-IFS 2024, 2026)

Artifact Evaluation Committee
• The 34th USENIX Security Symposium (USENIX Security 2025)
• The Annual Computer Security Applications Conference (ACSAC 2023)

External Reviewer
• The 28th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2025)
• The 34th USENIX Security Symposium (USENIX Security 2025)
• The 46th IEEE Symposium on Security and Privacy (S&P 2025)
• The 19th ACM ASIA Conference on Computer and Communications Security (ASIACCS 2024)
• The 30th USENIX Security Symposium (USENIX Security 2021)

Organizer and Volunteer
• The 52nd IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2022)

Teaching

• Course Assistant, EN 601.640 - Web Security, JHU 2023 Fall, 2022 Fall
• Teaching Assistant, EN 601.280 - Full Stack JavaScript, JHU 2022 Spring

CVEs

CVE-2025-29509 Jan
CVE-2025-54063 Cherry Studio
CVE-2025-58176 Dive
CVE-2025-50477 lbry-desktop
CVE-2025-44109 Pinokio
CVE-2025-54374 Eidos
CVE-2025-58357 5ire
CVE-2025-55733 deepchat
CVE-2025-8535 nanovault
CVE-2025-64743 paperlib
CVE-2025-55204 muffon

Experience

Research Assistant, Johns Hopkins University 2020 Sep. - Present
Advisor: Prof. Yinzhi Cao
Research Intern, Meta 2025 May - 2025 Aug.
Mentor: Andrew Liu
Research Assistant, Zhejiang University 2020 Mar. - 2020 Jun.
Advisor: Prof. Shouling Ji
Research Assistant, Johns Hopkins University 2019 Jul. - 2019 Nov.
Advisor: Prof. Yinzhi Cao
Research Assistant, Zhejiang University 2018 Nov. - 2019 Jul.
Advisor: Prof. Kejun Zhang

Misc

  • My name "θ’Ήθ‘­"" originates from the Classic of Poetryγ€Šθ―—η»γ€‹, where "θ’Ήθ‘­" refers to reeds. My name bothered me when I was young and was not very skilled at handwriting--just count the strokes! My English name is Suzy, written as "θ‹θŒœ" in Chinese. Try to find something in common between them.
  • I play Pipa, a traditional Chinese instrument. I am a member of Hopkins East Asian Traditional (HEAT) Ensemble. Check out our Youtube and Instagram.
  • See Gallery if you think Sony is the best camera and I am the best photographer.
  • Want to know more? Check my Vlogs.

Β© Johns Hopkins University.