Jianjia Yu

Jianjia Yu

Ph.D Student

Johns Hopkins University

Email:

Research Insterests: Web Security, System Security, Program Analysis

Linkedin | Google Scholar | Github | Resume | CV

I am final-year Ph.D Student in Computer Science at Johns Hopkins University , advised by Prof. Yinzhi Cao.

My research focuses on Web Security, System Security, and Program Analysis. Specifically, I design and develop techniques for vulnerability detection and privacy leak analysis through both static and dynamic program analysis methods.

Before JHU, I received my bachelor's degree at Computer Science Department of Zhejiang University in 2020.
I was a member of ACEE, Chu Kochen College .

Preprints

Time for LaunchBreak: Detecting and Exploiting Custom URI Launch Vulnerabilities in Electron Applications via Segmented Fuzzing

Jianjia Yu, Zhengyu Liu, Ziyang Li, Yu Sun, and Yinzhi Cao

Paper | Slides | Poster

Discovered 18 zero-day vulnerabilities in popular projects (50k+ stars); received 13 acknowledgments, 11 fixes, 10 CVEs, and Vercel bug bounty.

Minnie: User Privacy Leak Detection for WeChat Miniapps via Holistic Dynamic Taint Analysis with Concolic Execution

Jianjia Yu, Zhengyu Liu, Penghui Li, Zhihan Xia, Zifeng Kang, Junfeng Yang, and Yinzhi Cao

Paper | Slides | Poster

Uncovered 2,955 privacy leaks across 412 miniapps, affecting over four million WeChat users.

Publications

The First Large-Scale Systematic Study of Python Class Pollution Vulnerability

Zhengyu Liu, Jiacheng Zhong, Jianjia Yu, Muxi Lyu, Zifeng Kang, and Yinzhi Cao

[S&P 2026 (To appear) ] Paper | Slides | Poster

The DOMino Effect: Detecting and Exploiting DOM Clobbering Gadgets via Concolic Execution with Symbolic DOM

🏆 Honorable Mention (6% of accepcted papers)

Artifact Badges: Available, Functional, Results Reproduced

Zhengyu Liu, Theo Lee, Jianjia Yu, Zifeng Kang, and Yinzhi Cao

[Security 2025] Paper | Slides | Poster

Follow My Flow: Unveiling Client-Side Prototype Pollution Gadgets from One Million Real-World Websites

🏆 Distinguished Paper Award

Zifeng Kang, Muxi Lyu, Zhengyu Liu, Jianjia Yu, Runqi Fan, Song Li, and Yinzhi Cao

[S&P 2025] Paper

RogueOne: Detecting Rogue Updates via Differential Data-flow Analysis Using Trust Domains

Raphael J. Sofaer, Yaniv David, Mingqing Kang, Jianjia Yu, Yinzhi Cao, Junfeng Yang, and Jason Nieh

[ICSE 2024] Paper

CoCo: Efficient Browser Extension Vulnerability Detection via Coverage-guided, Concurrent Abstract Interpretation

🏆 Distinguished Paper Award

Jianjia Yu, Song Li, Junmin Zhu, and Yinzhi Cao

[CCS 2023] Paper | Code

MiniTaintDev: Unveiling Mini-App Vulnerabilities through Dynamic Taint Analysis

Jianjia Yu, Zifeng Kang, and Yinzhi Cao

[ACM Workshop on Secure and Trustworthy Superapps (SaTS) 2023] Paper

Rendering Contention Channel Made Practical in Web Browsers

Shujiang Wu, Jianjia Yu , Min Yang, and Yinzhi Cao

[Security 2022] Paper

Talks

The DOMino Effect: Detecting and Exploiting DOM Clobbering Gadgets via Concolic Execution with Symbolic DOM

[DEFCON 33] Slides | Video

Abstraction, Exploration, and Validation: Systematic Vulnerability Detection Across Heterogeneous Software Systems

Invited guest lecture, Pennsylvania State University

Experience

Research Assistant, Johns Hopkins University	2020 Sep. - Present
Advisor: Prof. Yinzhi Cao
Research Assistant, Zhejiang University	2020 Mar. - 2020 Jun.
Advisor: Prof. Shouling Ji
Research Assistant, Johns Hopkins University	2019 Jul. - 2019 Nov.
Advisor: Prof. Yinzhi Cao
Research Assistant, Zhejiang University	2018 Nov. - 2019 Jul.
Advisor: Prof. Kejun Zhang

Professional Services

Program Committee

• Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb 2025)

• The Annual Computer Security Applications Conference (ACSAC 2025)

Reviewer

• The IEEE Transactions on Information Forensics and Security (IEEE T-IFS 2024)

Artifact Evaluation Committee

• The 34th USENIX Security Symposium (USENIX Security 2025)

• The Annual Computer Security Applications Conference (ACSAC 2023)

External reviewer

• The 28th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2025)

• The 34th USENIX Security Symposium (USENIX Security 2025)

• The 46th IEEE Symposium on Security and Privacy (S&P 2025)

• The 19th ACM ASIA Conference on Computer and Communications Security (ASIACCS 2024)

• The 30th USENIX Security Symposium (USENIX Security 2021)

Organizer and Volunteer

• The 52nd IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2022)

Teaching Experience

• Course Assistant, EN 601.640 - Web Security, JHU	2023 Fall, 2022 Fall
• Teaching Assistant, EN 601.280 - Full Stack JavaScript, JHU	2022 Spring

CVEs

CVE	App
• CVE-2025-29509	Jan
• CVE-2025-54063	Cherry Studio
• CVE-2025-58176	Dive
• CVE-2025-50477	lbry-desktop
• CVE-2025-44109	Pinokio
• CVE-2025-54374	Eidos
• CVE-2025-58357	5ire
• CVE-2025-55733	deepchat
• CVE-2025-8535	nanovault
• CVE-2025-64743	paperlib
• CVE-2025-55204	muffon

Misc

• My name "蒹葭"" originates from the Classic of Poetry《诗经》, where "蒹葭" refers to reeds. My name "bothered" me a lot when I was young and was not very skilled at handwriting--just count the strokes! My English name is Suzy, written as "苏茜" in Chinese. Try to find something in common between them.

• I play Pipa, a traditional Chinese instrument. I am a member of Hopkins East Asian Traditional (HEAT) Ensemble. Check out our Youtube and Instagram.

• See Gallery if you think Sony is the best camera and I am the best photographer.

• Want to know more? Check my Vlogs.