Skip to content
Branch: master
Go to file
Code

Latest commit

tunz committed 26d3f06 Sep 3, 2019

Files

Permalink
Failed to load latest commit information.

README.md

Case Study of JavaScript Engine Vulnerabilities

V8

CVE Number Feature Keywords Credit
CVE-2013-6632 TypedArray Integer Overflow, OOB Pinkie Pie
CVE-2014-1705 TypedArray Invalid Array Length, OOB geohot
CVE-2014-3176 Array.concat Side Effect, OOB lokihardt
CVE-2014-7927 Optimization asm.js, OOB Christian Holler
CVE-2014-7928 Optimization Array Christian Holler
CVE-2015-1233 Optimization Array, OOB ?
CVE-2015-1242 Optimization Array, Type Confusion fcole@onshape.com
CVE-2015-6764 JSON.stringify Side Effect, OOB, Guang Gong [1]
CVE-2015-6771 TypedArray.map Prototype, OOB ?
CVE-2015-8584 JSON.stringify Side Effect, OOB ?
CVE-2016-1646 Array.concat Side Effect, OOB Wen Xu [2]
CVE-2016-1653 Optimization asm.js, TypedArray, OOB Choongwoo Han [6]
CVE-2016-1665 Optimization asm.js HyungSeok Han [6]
CVE-2016-1669 RegExp Heap Overflow, Integer Overflow Choongwoo Han [6]
CVE-2016-1677 decodeURI Side Effect, Information Leak Guang Gong [1]
CVE-2016-1688 RegExp Max Korenko
CVE-2016-5129 Array Side Effect Jeonghoon Shin
CVE-2016-5172 Parser Scope, eval Choongwoo Han [6]
CVE-2016-5198 Optimization parseInt, Compiler, OOB Tencent Keen Security Lab
CVE-2016-5200 Optimization asm.js TypedArray, OOB Choongwoo Han [6]
CVE-2016-9651 Object.assign Logic, Property Guang Gong [1]
CVE-2017-5030 Array.concat Side Effect, OOB Brendon Tiszka
CVE-2017-5040 Array.indexOf TypedArray, Side Effect, Detach Buffer Choongwoo Han
CVE-2017-5053 Array.indexOf Side Effect Team Sniper [2]
CVE-2017-5070 Optimization Array, Type Confusion Zhao Qixun [5]
CVE-2017-5071 Compiler OOB Choongwoo Han
CVE-2017-5088 wasm Information Leak Xiling Gong [7]
CVE-2017-5098 Parser Use After Free Jihoon Kim [6]
CVE-2017-5115 Compiler OOB Marco Giovannini
CVE-2017-5116 wasm Race Condition Guang Gong [1]
CVE-2017-5121 Compiler Uninitialized Memory Jordan Rabet [9]
CVE-2017-5122 wasm OOB Choongwoo Han [8]
CVE-2017-15399 wasm Use After Free Zhao Qixun [5]
CVE-2017-15401 wasm Side Effect, OOB ?
CVE-2018-6056 Object OOB lokihardt [3]
CVE-2018-6061 wasm Race Condition Guang Gong [1]
CVE-2018-6064 Object.entries Side Effect, OOB lokihardt [3]
CVE-2018-6065 Object Integer Overflow Mark Brand [3]
CVE-2018-6092 wasm Integer Overflow Natalie Silvanovich [3]
CVE-2018-6106 async generator Side Effect, Type Confusion lokihardt [3]
CVE-2018-6122 wasm async, Side Effect, Type Confusion ?
CVE-2018-6136 RegExp Side Effect, Type Confusion Peter Wong
CVE-2018-6142 Map Information Leak, OOB Choongwoo Han [8]
CVE-2018-6143 RegExp Side Effect, OOB Guang Gong [1]
CVE-2018-6149 String.split Allocator, OOB Yu Zhou and Jundong Xie [11]
CVE-2018-16065 TypedArray.of Side Effect, OOB, Detach Buffer Brendon Tiszka
CVE-2018-17463 Compiler Object.create Samuel Gross
CVE-2019-5755 Compiler OOB Jay Bosamiya
CVE-2019-5782 Compiler OOB Zhao Qixun [5]
CVE-2019-5784 Optimization Allocator lupin

ChakraCore

CVE Number Feature Keywords Credit
CVE-2016-3386 Spread Operator Array, Proxy, Stack Overflow Richard Zhu
CVE-2016-7189 Array.join Information Leak Natalie Silvanovich [3]
CVE-2016-7190 Array.map Heap Overflow Natalie Silvanovich [3]
CVE-2016-7194 Function.apply Information Leak Natalie Silvanovich [3]
CVE-2016-7200 Array.filter Heap Corruption Natalie Silvanovich [3]
CVE-2016-7201 Array Prototype, Type Confusion Natalie Silvanovich [3]
CVE-2016-7202 Array.reverse Overflow Natalie Silvanovich [3]
CVE-2016-7203 Array.splice Heap Overflow Natalie Silvanovich [3]
CVE-2016-7240 eval Proxy, Type Confusion Natalie Silvanovich [3]
CVE-2016-7241 JSON.parse Information Leak Natalie Silvanovich [3]
CVE-2016-7286 SIMD.toLocaleString Uninitialized Memory Natalie Silvanovich [3]
CVE-2016-7287 Intl Initialization, Type Confusion Natalie Silvanovich [3]
CVE-2016-7288 TypedArray.sort Side Effect, Detach Buffer Natalie Silvanovich [3]
CVE-2017-0015 Spread Operator Side Effect, Uninitialized Memory Qixun Zhao [4]
lokihart
Simon Zuckerbraun
CVE-2017-0071 Optimization Array, Type Confusion lokihardt [3]
CVE-2017-0134 Array.concat Side Effect, Type Confusion Jordan Rabet
CVE-2017-0141 Array.reverse Side Effect Semmle Inc
CVE-2017-0234 ArrayBuffer OOB Yuange [10]
CVE-2017-0236 ArrayBuffer UAF Tencent Security Lance Team
Yuki Chen [5]
CVE-2017-8548 Optimization Array lokihardt [3]
CVE-2017-8601 Optimization Array lokihardt [3]
CVE-2017-8634 Array.concat Side Effect Hao Lian [5]
HyungSeok Han [6]
CVE-2017-8636 Compiler Integer Overflow lokihardt [3]
CVE-2017-8640 arguments, Compiler, Uninitialize Memory lokihardt [3]
CVE-2017-8645 Compiler asm.js lokihardt [3]
CVE-2017-8646 Compiler asm.js lokihardt [3]
CVE-2017-8656 try Uninitialized Memory lokihardt [3]
CVE-2017-8657 Compiler asm.js lokihardt [3]
CVE-2017-8670 arguments Compiler, Uninitialize Memory lokihardt [3]
CVE-2017-8671 Function.call Integer Overflow lokihardt [3]
CVE-2017-8729 Parser Object lokihardt [3]
CVE-2017-8740 Parser Scope lokihardt [3]
CVE-2017-8755 Parser asm.js lokihardt [3]
CVE-2017-11764 Parser eval lokihardt [3]
CVE-2017-11799 Compiler JIT lokihardt [3]
CVE-2017-11802 Compiler String.replace, Type Confusion lokihardt [3]
CVE-2017-11809 Compiler Uninitialized Memory lokihardt [3]
CVE-2017-11811 Compiler Type confusion lokihardt [3]
CVE-2017-11839 Compiler JIT lokihardt [3]
CVE-2017-11840 Compiler JIT lokihardt [3]
CVE-2017-11841 Compiler JIT lokihardt [3]
CVE-2017-11861 Compiler Integer Overflow lokihardt [3]
CVE-2017-11870 Compiler JIT lokihardt [3]
CVE-2017-11873 Compiler JIT lokihardt [3]
CVE-2017-11893 Compiler JIT, Math lokihardt [3]
CVE-2017-11909 Compiler JIT lokihardt [3]
CVE-2017-11911 Compiler asm.js, OOB lokihardt [3]
CVE-2017-11914 Compiler Type Confusion lokihardt [3]
CVE-2017-11918 Compiler JIT lokihardt [3]
CVE-2018-0758 String Integer Overflow lokihardt [3]
CVE-2018-0767 Array OOB lokihardt [3]
CVE-2018-0769 Compiler JIT, OOB lokihardt [3]
CVE-2018-0770 Compiler JIT lokihardt [3]
CVE-2018-0774 Compiler Incorrect Scope lokihardt [3]
CVE-2018-0775 Compiler Incorrect Scope lokihardt [3]
CVE-2018-0776 Compiler JIT, Bailout lokihardt [3]
CVE-2018-0777 Compiler JIT lokihardt [3]
CVE-2018-0780 Compiler asm.js, OOB lokihardt [3]
CVE-2018-0834 Compiler Array, Type Confusion lokihardt [3]
CVE-2018-0835 Compiler Array.reverse, Type Confusion lokihardt [3]
CVE-2018-0837 Compiler JIT, Type Confusion lokihardt [3]
CVE-2018-0838 Compiler Array, Type Confusion lokihardt [3]
CVE-2018-0840 Compiler JIT lokihardt [3]
CVE-2018-0860 Compiler JIT, Information Leak lokihardt [3]
CVE-2018-0933 Compiler JIT, Bailout lokihardt [3]
CVE-2018-0934 Compiler JIT, Bailout lokihardt [3]
CVE-2018-0953 Compiler Type Confusion lokihardt [3]
CVE-2018-0980 Compiler Bound Check Elimination lokihardt [3]
CVE-2018-8139 Function OOB lokihardt [3]
CVE-2018-8145 JIT OOB lokihardt [3]
CVE-2018-8229 JIT Type Confusion lokihardt [3]
CVE-2018-8279 Parser Parameter Scope lokihardt [3]
CVE-2018-8288 Compiler JIT lokihardt [3]
CVE-2018-8291 Property Type confusion lokihardt [3]
CVE-2018-8298 Intl TimeFormat lokihardt [3]
CVE-2018-8355 JIT Type Confusion lokihardt [3]
CVE-2018-8384 PathTypeHandler Type Confusion lokihardt [3]
CVE-2018-8466 JIT Type Confusion lokihardt [3]
CVE-2018-8467 JIT Type Confusion lokihardt [3]
CVE-2018-8617 Optimization Type Confusion lokihardt [3]
CVE-2019-0539 JIT Type Confusion lokihardt [3]
CVE-2019-0567 JIT Type Confusion lokihardt [3]
CVE-2019-0568 JIT Use After Free lokihardt [3]

JavaScriptCore

CVE Number Feature Keywords Credit
CVE-2016-1857 Array.join Side Effect, Use After Free Liang Chen, Zhen Feng, wushi [2]
Jeonghoon Shin
CVE-2016-4622 Array.slice Side Effect, OOB Samuel Groß
CVE-2016-4734 TypedArray.copyWithin
TypedArray.fill
Side Effect, Detach Buffer Natalie Silvanovich [3]
CVE-2017-2446 Funciton.caller Type Confusion Natalie Silvanovich [3]
CVE-2017-2447 Function.bind OOB Natalie Silvanovich [3]
CVE-2017-2464 Array.concat Integer Overflow Natalie Silvanovich [3]
CVE-2017-2491 String.replace RegExp, Use After Free Samuel Groß, and Niklas Baumstark
CVE-2017-2521 Array.length OOB lokihardt [3]
CVE-2017-2531 OOB lokihardt [3]
CVE-2017-2536 Spread Operator Array, Integer Overflow Samuel Groß, and Niklas Baumstark
CVE-2017-2547 Optimization parseInt, Compiler, OOB lokihardt [3]
CVE-2017-6980 Array.splice Uninitialized Memory lokihardt [3]
CVE-2017-6984 Intl.getCanonicalLocales Heap Overflow lokihardt [3]
CVE-2017-7056 arguments Uninitialized Memory lokihardt [3]
CVE-2017-7061 Compiler for-in, Type Confusion lokihardt [3]
CVE-2017-7092 String.link Heap Overflow Samuel Groß and Niklas Baumstark
Qixun Zhao [5]
CVE-2017-7117 Compiler for-in, Type Confusion lokihardt [3]
CVE-2018-4233 Compiler Proxy, Array, Type Confusion Samuel Groß
CVE-2018-4382 Compiler Type Confusion lokihardt [3]
CVE-2018-4386 Compiler Incorrect Optimization lokihardt [3]
CVE-2018-4416 Compiler Type Confusion lokihardt [3]
CVE-2018-4438 Compiler Prototype Chains lokihardt [3]
CVE-2018-4441 JSArray OOB lokihardt [3]
CVE-2018-4442 JIT Use After Free lokihardt [3]
CVE-2018-4443 AbstractValue Use After Free lokihardt [3]
CVE-2019-6215 Optimization Type Confusion lokihardt [3]
CVE-2019-8506 RegExp Type Confusion Samuel Groß [3]
CVE-2019-8518 JIT OOB Samuel Groß [3]
CVE-2019-8558 CodeBlock UAF Samuel Groß [3]

SpiderMonkey

CVE Number Feature Keywords Credit
CVE-2014-1513 TypedArray.subarray OOB, Detach Buffer, Side Effect Jüri Aedla
CVE-2018-12387 Array.prototype.push Memory Disclosure Bruno Keith and Niklas Baumstark
CVE-2019-9791 OSR, JIT Type Confusions Samuel Groß [3]
CVE-2019-9813 Prototype, JIT Type Confusions Samuel Groß [3]

JScript

CVE Number Feature Keywords Credit
CVE-2017-11793 JSON Use After Free ifratric [3]
CVE-2017-11855 Array.slice Uninitialized Variable ifratric [3]
CVE-2017-11890 RegExp Heap overflow ifratric [3]
CVE-2017-11903 Array.join Use After Free ifratric [3]
CVE-2017-11906 RegExp OOB ifratric [3]
CVE-2017-11907 Array.sort Heap overflow ifratric [3]
CVE-2018-0891 RegExp.lastMatch Memory Disclosure ifratric [3]
CVE-2018-0935 Array Use After Free ifratric [3]
CVE-2018-8353 RegExp Use After Free ifratric [3]
CVE-2018-8631 Array OOB ifratric [3]
CVE-2018-8389 ActiveXObject Use After Free Sudhakar Verma and Ashfaq Ansari[12]
CVE-2019-0930 getVarDate Use After Free Krishnakant Patil and Siddhant Badhe[12]

[1] Qihoo 360
[2] Tencent KeenLab
[3] Google Project Zero
[4] Qihoo 360 Skyeye Labs
[5] Qihoo 360 Vulcan Team
[6] KAIST SoftSec
[7] Tencent Security Platform Department
[8] Naver Corporation
[9] Microsoft
[10] Tencent Zhanlu Lab
[11] Ant-financial Light-Year Security Lab
[12] Project Srishti

About

A collection of JavaScript engine CVEs with PoCs

Topics

Resources

Releases

No releases published
You can’t perform that action at this time.