A collection of JavaScript engine CVEs with PoCs
Switch branches/tags
Nothing to show
Clone or download
Latest commit 92c9095 Jul 13, 2018
Permalink
Failed to load latest commit information.
chakra Add some Chakra bugs Jul 13, 2018
jsc Add CVE-2018-4233 Jun 24, 2018
jscript Add CVE-2018-0935 Apr 6, 2018
spidermonkey Add CVE 2014-1513 Mar 1, 2017
v8 Add CVE-2018-6065 May 26, 2018
README.md Add some Chakra bugs Jul 13, 2018

README.md

Case Study of JavaScript Engine Vulnerabilities

V8

CVE Number Feature Keywords Credit
CVE-2013-6632 TypedArray Integer Overflow, OOB Pinkie Pie
CVE-2014-1705 TypedArray Invalid Array Length, OOB geohot
CVE-2014-3176 Array.concat Side Effect, OOB lokihardt
CVE-2014-7927 Optimization asm.js, OOB Christian Holler
CVE-2014-7928 Optimization Array Christian Holler
CVE-2015-1233 Optimization Array, OOB ?
CVE-2015-1242 Optimization Array, Type Confusion fcole@onshape.com
CVE-2015-6764 JSON.stringify Side Effect, OOB, Guang Gong [1]
CVE-2015-6771 TypedArray.map Prototype, OOB ?
CVE-2015-8584 JSON.stringify Side Effect, OOB ?
CVE-2016-1646 Array.concat Side Effect, OOB Wen Xu [2]
CVE-2016-1653 Optimization asm.js, TypedArray, OOB Choongwoo Han [6]
CVE-2016-1665 Optimization asm.js HyungSeok Han [6]
CVE-2016-1669 RegExp Heap Overflow, Integer Overflow Choongwoo Han [6]
CVE-2016-1677 decodeURI Side Effect, Information Leak Guang Gong [1]
CVE-2016-1688 RegExp Max Korenko
CVE-2016-5129 Array Side Effect Jeonghoon Shin
CVE-2016-5172 Parser Scope, eval Choongwoo Han [6]
CVE-2016-5198 Optimization parseInt, Compiler, OOB Tencent Keen Security Lab
CVE-2016-5200 Optimization asm.js TypedArray, OOB Choongwoo Han [6]
CVE-2016-9651 Object.assign Logic, Property Guang Gong [1]
CVE-2017-5030 Array.concat Side Effect, OOB Brendon Tiszka
CVE-2017-5040 Array.indexOf TypedArray, Side Effect, Buffer Neutering Choongwoo Han
CVE-2017-5053 Array.indexOf Side Effect Team Sniper [2]
CVE-2017-5070 Optimization Array, Type Confusion Zhao Qixun [5]
CVE-2017-5071 Compiler OOB Choongwoo Han
CVE-2017-5088 wasm Information Leak Xiling Gong [7]
CVE-2017-5098 Parser Use After Free Jihoon Kim [6]
CVE-2017-5115 Compiler OOB Marco Giovannini
CVE-2017-5116 wasm Race Condition Guang Gong [1]
CVE-2017-5121 Compiler Uninitialized Memory Jordan Rabet [9]
CVE-2017-5122 wasm OOB Choongwoo Han [8]
CVE-2017-15399 wasm Use After Free Zhao Qixun [5]
CVE-2017-15401 wasm Side Effect, OOB ?
CVE-2018-6056 Object OOB lokihardt [3]
CVE-2018-6061 wasm Race Condition Guang Gong [1]
CVE-2018-6064 Object.entries Side Effect, OOB lokihardt [3]
CVE-2018-6065 Object Integer Overflow Mark Brand [3]
CVE-2018-6106 async generator Side Effect, Type Confusion lokihardt [3]

ChakraCore

CVE Number Feature Keywords Credit
CVE-2016-3386 Spread Operator Array, Proxy, Stack Overflow Richard Zhu
CVE-2016-7189 Array.join Information Leak Natalie Silvanovich [3]
CVE-2016-7190 Array.map Heap Overflow Natalie Silvanovich [3]
CVE-2016-7194 Function.apply Information Leak Natalie Silvanovich [3]
CVE-2016-7200 Array.filter Heap Corruption Natalie Silvanovich [3]
CVE-2016-7201 Array Prototype, Type Confusion Natalie Silvanovich [3]
CVE-2016-7202 Array.reverse Overflow Natalie Silvanovich [3]
CVE-2016-7203 Array.splice Heap Overflow Natalie Silvanovich [3]
CVE-2016-7240 eval Proxy, Type Confusion Natalie Silvanovich [3]
CVE-2016-7241 JSON.parse Information Leak Natalie Silvanovich [3]
CVE-2016-7286 SIMD.toLocaleString Uninitialized Memory Natalie Silvanovich [3]
CVE-2016-7287 Intl Initialization, Type Confusion Natalie Silvanovich [3]
CVE-2016-7288 TypedArray.sort Side Effect, Buffer Neutering Natalie Silvanovich [3]
CVE-2017-0015 Spread Operator Side Effect, Uninitialized Memory Qixun Zhao [4]
lokihart
Simon Zuckerbraun
CVE-2017-0071 Optimization Array, Type Confusion lokihardt [3]
CVE-2017-0134 Array.concat Side Effect, Type Confusion Jordan Rabet
CVE-2017-0141 Array.reverse Side Effect Semmle Inc
CVE-2017-0234 ArrayBuffer OOB Yuange [10]
CVE-2017-0236 ArrayBuffer UAF Tencent Security Lance Team
Yuki Chen [5]
CVE-2017-8548 Optimization Array lokihardt [3]
CVE-2017-8601 Optimization Array lokihardt [3]
CVE-2017-8634 Array.concat Side Effect Hao Lian [5]
HyungSeok Han [6]
CVE-2017-8636 Compiler Integer Overflow lokihardt [3]
CVE-2017-8640 arguments, Compiler, Uninitialize Memory lokihardt [3]
CVE-2017-8645 Compiler asm.js lokihardt [3]
CVE-2017-8646 Compiler asm.js lokihardt [3]
CVE-2017-8656 try Uninitialized Memory lokihardt [3]
CVE-2017-8657 Compiler asm.js lokihardt [3]
CVE-2017-8670 arguments Compiler, Uninitialize Memory lokihardt [3]
CVE-2017-8671 Function.call Integer Overflow lokihardt [3]
CVE-2017-8729 Parser Object lokihardt [3]
CVE-2017-8740 Parser Scope lokihardt [3]
CVE-2017-8755 Parser asm.js lokihardt [3]
CVE-2017-11764 Parser eval lokihardt [3]
CVE-2017-11799 Compiler JIT lokihardt [3]
CVE-2017-11802 Compiler String.replace, Type Confusion lokihardt [3]
CVE-2017-11809 Compiler Uninitialized Memory lokihardt [3]
CVE-2017-11811 Compiler Type confusion lokihardt [3]
CVE-2017-11839 Compiler JIT lokihardt [3]
CVE-2017-11840 Compiler JIT lokihardt [3]
CVE-2017-11841 Compiler JIT lokihardt [3]
CVE-2017-11861 Compiler Integer Overflow lokihardt [3]
CVE-2017-11870 Compiler JIT lokihardt [3]
CVE-2017-11873 Compiler JIT lokihardt [3]
CVE-2017-11893 Compiler JIT, Math lokihardt [3]
CVE-2017-11909 Compiler JIT lokihardt [3]
CVE-2017-11911 Compiler asm.js, OOB lokihardt [3]
CVE-2017-11914 Compiler Type Confusion lokihardt [3]
CVE-2017-11918 Compiler JIT lokihardt [3]
CVE-2018-0758 String Integer Overflow lokihardt [3]
CVE-2018-0767 Array OOB lokihardt [3]
CVE-2018-0769 Compiler JIT, OOB lokihardt [3]
CVE-2018-0770 Compiler JIT lokihardt [3]
CVE-2018-0774 Compiler Incorrect Scope lokihardt [3]
CVE-2018-0775 Compiler Incorrect Scope lokihardt [3]
CVE-2018-0776 Compiler JIT, Bailout lokihardt [3]
CVE-2018-0777 Compiler JIT lokihardt [3]
CVE-2018-0780 Compiler asm.js, OOB lokihardt [3]
CVE-2018-0834 Compiler Array, Type Confusion lokihardt [3]
CVE-2018-0835 Compiler Array.reverse, Type Confusion lokihardt [3]
CVE-2018-0837 Compiler JIT, Type Confusion lokihardt [3]
CVE-2018-0838 Compiler Array, Type Confusion lokihardt [3]
CVE-2018-0840 Compiler JIT lokihardt [3]
CVE-2018-0860 Compiler JIT, Information Leak lokihardt [3]
CVE-2018-0933 Compiler JIT, Bailout lokihardt [3]
CVE-2018-0934 Compiler JIT, Bailout lokihardt [3]
CVE-2018-0953 Compiler Type Confusion lokihardt [3]
CVE-2018-0980 Compiler Bound Check Elimination lokihardt [3]
CVE-2018-8139 Function OOB lokihardt [3]
CVE-2018-8145 JIT OOB lokihardt [3]
CVE-2018-8229 JIT Type Confusion lokihardt [3]

JavaScriptCore

CVE Number Feature Keywords Credit
CVE-2016-1857 Array.join Side Effect, Use After Free Liang Chen, Zhen Feng, wushi [2]
Jeonghoon Shin
CVE-2016-4622 Array.slice Side Effect, OOB Samuel Groß
CVE-2016-4734 TypedArray.copyWithin
TypedArray.fill
Side Effect, Buffer Neutering Natalie Silvanovich [3]
CVE-2017-2446 Funciton.caller Type Confusion Natalie Silvanovich [3]
CVE-2017-2447 Function.bind OOB Natalie Silvanovich [3]
CVE-2017-2464 Array.concat Integer Overflow Natalie Silvanovich [3]
CVE-2017-2491 String.replace RegExp, Use After Free Samuel Groß, and Niklas Baumstark
CVE-2017-2521 Array.length OOB lokihardt [3]
CVE-2017-2531 OOB lokihardt [3]
CVE-2017-2536 Spread Operator Array, Integer Overflow Samuel Groß, and Niklas Baumstark
CVE-2017-2547 Optimization parseInt, Compiler, OOB lokihardt [3]
CVE-2017-6980 Array.splice Uninitialized Memory lokihardt [3]
CVE-2017-6984 Intl.getCanonicalLocales Heap Overflow lokihardt [3]
CVE-2017-7056 arguments Uninitialized Memory lokihardt [3]
CVE-2017-7061 Compiler for-in, Type Confusion lokihardt [3]
CVE-2017-7092 String.link Heap Overflow Samuel Groß and Niklas Baumstark
Qixun Zhao [5]
CVE-2017-7117 Compiler for-in, Type Confusion lokihardt [3]
CVE-2018-4233 Compiler Proxy, Array, Type Confusion Samuel Groß

SpiderMonkey

CVE Number Feature Keywords Credit
CVE-2014-1513 TypedArray.subarray OOB, Buffer Neutering, Side Effect Jüri Aedla

JScript

CVE Number Feature Keywords Credit
CVE-2017-11793 JSON Use After Free ifratric [3]
CVE-2017-11855 Array.slice Uninitialized Variable ifratric [3]
CVE-2017-11890 RegExp Heap overflow ifratric [3]
CVE-2017-11903 Array.join Use After Free ifratric [3]
CVE-2017-11906 RegExp OOB ifratric [3]
CVE-2017-11907 Array.sort Heap overflow ifratric [3]
CVE-2018-0891 RegExp.lastMatch Memory Disclosure ifratric [3]
CVE-2018-0935 Array Use After Free ifratric [3]

[1] Qihoo 360
[2] Tencent KeenLab
[3] Google Project Zero
[4] Qihoo 360 Skyeye Labs
[5] Qihoo 360 Vulcan Team
[6] KAIST SoftSec
[7] Tencent Security Platform Department
[8] Naver Corporation
[9] Microsoft
[10] Tencent Zhanlu Lab