/js-vuln-db

A collection of JavaScript engine CVEs with PoCs

Case Study of JavaScript Engine Vulnerabilities

V8

CVE Number Feature Keywords Credit
CVE-2013-6632 TypedArray Integer Overflow, OOB Pinkie Pie
CVE-2014-1705 TypedArray Invalid Array Length, OOB geohot
CVE-2014-3176 Array.concat Side Effect, OOB lokihardt
CVE-2014-7927 Optimization asm.js, OOB Christian Holler
CVE-2014-7928 Optimization Array Christian Holler
CVE-2015-1233 Optimization Array, OOB ?
CVE-2015-1242 Optimization Array, Type Confusion fcole@onshape.com
CVE-2015-6764 JSON.stringify Side Effect, OOB, Guang Gong [1]
CVE-2015-6771 TypedArray.map Prototype, OOB ?
CVE-2015-8584 JSON.stringify Side Effect, OOB ?
CVE-2016-1646 Array.concat Side Effect, OOB Wen Xu [2]
CVE-2016-1653 Optimization asm.js, TypedArray, OOB Choongwoo Han [6]
CVE-2016-1665 Optimization asm.js HyungSeok Han [6]
CVE-2016-1669 RegExp Heap Overflow, Integer Overflow Choongwoo Han [6]
CVE-2016-1677 decodeURI Side Effect, Information Leak Guang Gong [1]
CVE-2016-1688 RegExp Max Korenko
CVE-2016-5129 Array Side Effect Jeonghoon Shin
CVE-2016-5172 Parser Scope, eval Choongwoo Han [6]
CVE-2016-5198 Optimization parseInt, Compiler, OOB Tencent Keen Security Lab
CVE-2016-5200 Optimization asm.js TypedArray, OOB Choongwoo Han [6]
CVE-2016-9651 Object.assign Logic, Property Guang Gong [1]
CVE-2017-5030 Array.concat Side Effect, OOB Brendon Tiszka
CVE-2017-5040 Array.indexOf TypedArray, Side Effect, Buffer Neutering Choongwoo Han
CVE-2017-5053 Array.indexOf Side Effect Team Sniper [2]
CVE-2017-5070 Optimization Array, Type Confusion Zhao Qixun [5]
CVE-2017-5071 Compiler OOB Choongwoo Han
CVE-2017-5088 wasm Information Leak Xiling Gong [7]
CVE-2017-5098 Parser Use After Free Jihoon Kim [6]
CVE-2017-5115 Compiler OOB Marco Giovannini
CVE-2017-5116 wasm Race Condition Guang Gong [1]
CVE-2017-5121 Compiler Uninitialized Memory Jordan Rabet [9]
CVE-2017-5122 wasm Side Effect, OOB Choongwoo Han [8]
CVE-2017-15399 wasm Use After Free Zhao Qixun [5]
CVE-2017-15401 wasm Side Effect, OOB ?

ChakraCore

CVE Number Feature Keywords Credit
CVE-2016-3386 Spread Operator Array, Proxy, Stack Overflow Richard Zhu
CVE-2016-7189 Array.join Information Leak Natalie Silvanovich [3]
CVE-2016-7190 Array.map Heap Overflow Natalie Silvanovich [3]
CVE-2016-7194 Function.apply Information Leak Natalie Silvanovich [3]
CVE-2016-7200 Array.filter Heap Corruption Natalie Silvanovich [3]
CVE-2016-7201 Array Prototype, Type Confusion Natalie Silvanovich [3]
CVE-2016-7202 Array.reverse Overflow Natalie Silvanovich [3]
CVE-2016-7203 Array.splice Heap Overflow Natalie Silvanovich [3]
CVE-2016-7240 eval Proxy, Type Confusion Natalie Silvanovich [3]
CVE-2016-7241 JSON.parse Information Leak Natalie Silvanovich [3]
CVE-2016-7286 SIMD.toLocaleString Uninitialized Memory Natalie Silvanovich [3]
CVE-2016-7287 Intl Initialization, Type Confusion Natalie Silvanovich [3]
CVE-2016-7288 TypedArray.sort Side Effect, Buffer Neutering Natalie Silvanovich [3]
CVE-2017-0015 Spread Operator Side Effect, Uninitialized Memory Qixun Zhao [4]
lokihart
Simon Zuckerbraun
CVE-2017-0071 Optimization Array, Type Confusion lokihardt [3]
CVE-2017-0134 Array.concat Side Effect, Type Confusion Jordan Rabet
CVE-2017-0141 Array.reverse Side Effect Semmle Inc
CVE-2017-8548 Optimization Array lokihardt [3]
CVE-2017-8601 Optimization Array lokihardt [3]
CVE-2017-8634 Array.concat Side Effect Hao Lian [5]
HyungSeok Han [6]
CVE-2017-8636 Compiler Integer Overflow lokihardt [3]
CVE-2017-8640 arguments, Compiler, Uninitialize Memory lokihardt [3]
CVE-2017-8645 Compiler asm.js lokihardt [3]
CVE-2017-8646 Compiler asm.js lokihardt [3]
CVE-2017-8656 try Uninitialized Memory lokihardt [3]
CVE-2017-8657 Compiler asm.js lokihardt [3]
CVE-2017-8670 arguments Compiler, Uninitialize Memory lokihardt [3]
CVE-2017-8671 Function.call Integer Overflow lokihardt [3]
CVE-2017-8729 Parser Object lokihardt [3]
CVE-2017-8740 Parser Scope lokihardt [3]
CVE-2017-8751 Object.setPrototypeOf Memory corruption lokihardt [3]
CVE-2017-8755 Parser asm.js lokihardt [3]
CVE-2017-11764 Parser eval lokihardt [3]
CVE-2017-11799 Compiler JIT lokihardt [3]
CVE-2017-11802 Compiler String.replace, Type Confusion lokihardt [3]
CVE-2017-11809 Compiler Recursive function, Uninitialized Memory lokihardt [3]
CVE-2017-11811 Compiler Type confusion lokihardt [3]
CVE-2017-11839 Compiler JIT lokihardt [3]
CVE-2017-11840 Compiler JIT lokihardt [3]
CVE-2017-11841 Compiler JIT lokihardt [3]
CVE-2017-11861 Compiler Integer Overflow lokihardt [3]
CVE-2017-11870 Compiler JIT lokihardt [3]
CVE-2017-11873 Compiler JIT lokihardt [3]
CVE-2017-11893 Compiler JIT, Math lokihardt [3]
CVE-2017-11909 Compiler JIT lokihardt [3]
CVE-2017-11911 Compiler asm.js, OOB lokihardt [3]
CVE-2017-11914 Compiler Type Confusion lokihardt [3]
CVE-2017-11918 Compiler JIT lokihardt [3]
CVE-2018-0758 String Integer Overflow lokihardt [3]
CVE-2018-0767 Array OOB lokihardt [3]
CVE-2018-0769 Compiler JIT, OOB lokihardt [3]
CVE-2018-0770 Compiler JIT lokihardt [3]
CVE-2018-0774 Compiler Incorrect Scope lokihardt [3]
CVE-2018-0775 Compiler Incorrect Scope lokihardt [3]
CVE-2018-0776 Compiler JIT, Bailout lokihardt [3]
CVE-2018-0777 Compiler JIT lokihardt [3]
CVE-2018-0780 Compiler asm.js, OOB lokihardt [3]
CVE-2018-0834 Compiler Array, Type Confusion lokihardt [3]
CVE-2018-0835 Compiler Array.reverse, Type Confusion lokihardt [3]
CVE-2018-0837 Compiler JIT, Type Confusion lokihardt [3]
CVE-2018-0838 Compiler Array, Type Confusion lokihardt [3]
CVE-2018-0840 Compiler JIT lokihardt [3]
CVE-2018-0860 Compiler JIT, Information Leak lokihardt [3]
CVE-2018-0933 Compiler JIT, Bailout lokihardt [3]
CVE-2018-0934 Compiler JIT, Bailout lokihardt [3]

JavaScriptCore

CVE Number Feature Keywords Credit
CVE-2016-1857 Array.join Side Effect, Use After Free Liang Chen, Zhen Feng, wushi [2]
Jeonghoon Shin
CVE-2016-4622 Array.slice Side Effect, OOB Samuel Groß
CVE-2016-4734 TypedArray.copyWithin
TypedArray.fill
Side Effect, Buffer Neutering Natalie Silvanovich [3]
CVE-2017-2446 Funciton.caller Type Confusion Natalie Silvanovich [3]
CVE-2017-2447 Function.bind OOB Natalie Silvanovich [3]
CVE-2017-2464 Array.concat Integer Overflow Natalie Silvanovich [3]
CVE-2017-2491 String.replace RegExp, Use After Free Samuel Groß, and Niklas Baumstark
CVE-2017-2521 Array.length OOB lokihardt [3]
CVE-2017-2531 OOB lokihardt [3]
CVE-2017-2536 Spread Operator Array, Integer Overflow Samuel Groß, and Niklas Baumstark
CVE-2017-2547 Optimization parseInt, Compiler, OOB lokihardt [3]
CVE-2017-6980 Array.splice Uninitialized Memory lokihardt [3]
CVE-2017-6984 Intl.getCanonicalLocales Heap Overflow lokihardt [3]
CVE-2017-7056 arguments Uninitialized Memory lokihardt [3]
CVE-2017-7061 Compiler for-in, Type Confusion lokihardt [3]
CVE-2017-7092 String.link Heap Overflow Samuel Gro and Niklas Baumstark
Qixun Zhao [5]
CVE-2017-7117 Compiler for-in, Type Confusion lokihardt [3]

SpiderMonkey

CVE Number Feature Keywords Credit
CVE-2014-1513 TypedArray.subarray OOB, Buffer Neutering, Side Effect Jüri Aedla

JScript

CVE Number Feature Keywords Credit
CVE-2017-11793 JSON Use After Free ifratric [3]
CVE-2017-11855 Array.slice Uninitialized Variable ifratric [3]
CVE-2017-11890 RegExp Heap overflow ifratric [3]
CVE-2017-11903 Array.join Use After Free ifratric [3]
CVE-2017-11906 RegExp OOB ifratric [3]
CVE-2017-11907 Array.sort Heap overflow ifratric [3]
CVE-2018-0891 RegExp.lastMatch Memory Disclosure ifratric [3]

[1] Qihoo 360
[2] Tencent KeenLab
[3] Google Project Zero
[4] Qihoo 360 Skyeye Labs
[5] Qihoo 360 Vulcan Team
[6] KAIST SoftSec
[7] Tencent Security Platform Department
[8] Naver Corporation
[9] Microsoft