A collection of JavaScript engine CVEs with PoCs
Branch: master
Clone or download
Latest commit 7b04f68 Feb 11, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
chakra Add CVE-2018-8466 and CVE-2018-8467 Oct 9, 2018
jsc Add CVE-2018-4441 and CVE-2018-4443 Dec 27, 2018
jscript Add CVE-2018-8389 Jan 9, 2019
spidermonkey Add CVE-2018-12387 Oct 10, 2018
v8 Update TODO.md Feb 11, 2019
README.md Use a term "Detach" instead of "Neuter" Jan 14, 2019

README.md

Case Study of JavaScript Engine Vulnerabilities

V8

CVE Number Feature Keywords Credit
CVE-2013-6632 TypedArray Integer Overflow, OOB Pinkie Pie
CVE-2014-1705 TypedArray Invalid Array Length, OOB geohot
CVE-2014-3176 Array.concat Side Effect, OOB lokihardt
CVE-2014-7927 Optimization asm.js, OOB Christian Holler
CVE-2014-7928 Optimization Array Christian Holler
CVE-2015-1233 Optimization Array, OOB ?
CVE-2015-1242 Optimization Array, Type Confusion fcole@onshape.com
CVE-2015-6764 JSON.stringify Side Effect, OOB, Guang Gong [1]
CVE-2015-6771 TypedArray.map Prototype, OOB ?
CVE-2015-8584 JSON.stringify Side Effect, OOB ?
CVE-2016-1646 Array.concat Side Effect, OOB Wen Xu [2]
CVE-2016-1653 Optimization asm.js, TypedArray, OOB Choongwoo Han [6]
CVE-2016-1665 Optimization asm.js HyungSeok Han [6]
CVE-2016-1669 RegExp Heap Overflow, Integer Overflow Choongwoo Han [6]
CVE-2016-1677 decodeURI Side Effect, Information Leak Guang Gong [1]
CVE-2016-1688 RegExp Max Korenko
CVE-2016-5129 Array Side Effect Jeonghoon Shin
CVE-2016-5172 Parser Scope, eval Choongwoo Han [6]
CVE-2016-5198 Optimization parseInt, Compiler, OOB Tencent Keen Security Lab
CVE-2016-5200 Optimization asm.js TypedArray, OOB Choongwoo Han [6]
CVE-2016-9651 Object.assign Logic, Property Guang Gong [1]
CVE-2017-5030 Array.concat Side Effect, OOB Brendon Tiszka
CVE-2017-5040 Array.indexOf TypedArray, Side Effect, Detach Buffer Choongwoo Han
CVE-2017-5053 Array.indexOf Side Effect Team Sniper [2]
CVE-2017-5070 Optimization Array, Type Confusion Zhao Qixun [5]
CVE-2017-5071 Compiler OOB Choongwoo Han
CVE-2017-5088 wasm Information Leak Xiling Gong [7]
CVE-2017-5098 Parser Use After Free Jihoon Kim [6]
CVE-2017-5115 Compiler OOB Marco Giovannini
CVE-2017-5116 wasm Race Condition Guang Gong [1]
CVE-2017-5121 Compiler Uninitialized Memory Jordan Rabet [9]
CVE-2017-5122 wasm OOB Choongwoo Han [8]
CVE-2017-15399 wasm Use After Free Zhao Qixun [5]
CVE-2017-15401 wasm Side Effect, OOB ?
CVE-2018-6056 Object OOB lokihardt [3]
CVE-2018-6061 wasm Race Condition Guang Gong [1]
CVE-2018-6064 Object.entries Side Effect, OOB lokihardt [3]
CVE-2018-6065 Object Integer Overflow Mark Brand [3]
CVE-2018-6092 wasm Integer Overflow Natalie Silvanovich [3]
CVE-2018-6106 async generator Side Effect, Type Confusion lokihardt [3]
CVE-2018-6122 wasm async, Side Effect, Type Confusion ?
CVE-2018-6136 RegExp Side Effect, Type Confusion Peter Wong
CVE-2018-6142 Map Information Leak, OOB Choongwoo Han [8]
CVE-2018-6143 RegExp Side Effect, OOB Guang Gong [1]
CVE-2018-6149 String.split Allocator, OOB Yu Zhou and Jundong Xie [11]
CVE-2018-16065 TypedArray.of Side Effect, OOB, Detach Buffer Brendon Tiszka

ChakraCore

CVE Number Feature Keywords Credit
CVE-2016-3386 Spread Operator Array, Proxy, Stack Overflow Richard Zhu
CVE-2016-7189 Array.join Information Leak Natalie Silvanovich [3]
CVE-2016-7190 Array.map Heap Overflow Natalie Silvanovich [3]
CVE-2016-7194 Function.apply Information Leak Natalie Silvanovich [3]
CVE-2016-7200 Array.filter Heap Corruption Natalie Silvanovich [3]
CVE-2016-7201 Array Prototype, Type Confusion Natalie Silvanovich [3]
CVE-2016-7202 Array.reverse Overflow Natalie Silvanovich [3]
CVE-2016-7203 Array.splice Heap Overflow Natalie Silvanovich [3]
CVE-2016-7240 eval Proxy, Type Confusion Natalie Silvanovich [3]
CVE-2016-7241 JSON.parse Information Leak Natalie Silvanovich [3]
CVE-2016-7286 SIMD.toLocaleString Uninitialized Memory Natalie Silvanovich [3]
CVE-2016-7287 Intl Initialization, Type Confusion Natalie Silvanovich [3]
CVE-2016-7288 TypedArray.sort Side Effect, Detach Buffer Natalie Silvanovich [3]
CVE-2017-0015 Spread Operator Side Effect, Uninitialized Memory Qixun Zhao [4]
lokihart
Simon Zuckerbraun
CVE-2017-0071 Optimization Array, Type Confusion lokihardt [3]
CVE-2017-0134 Array.concat Side Effect, Type Confusion Jordan Rabet
CVE-2017-0141 Array.reverse Side Effect Semmle Inc
CVE-2017-0234 ArrayBuffer OOB Yuange [10]
CVE-2017-0236 ArrayBuffer UAF Tencent Security Lance Team
Yuki Chen [5]
CVE-2017-8548 Optimization Array lokihardt [3]
CVE-2017-8601 Optimization Array lokihardt [3]
CVE-2017-8634 Array.concat Side Effect Hao Lian [5]
HyungSeok Han [6]
CVE-2017-8636 Compiler Integer Overflow lokihardt [3]
CVE-2017-8640 arguments, Compiler, Uninitialize Memory lokihardt [3]
CVE-2017-8645 Compiler asm.js lokihardt [3]
CVE-2017-8646 Compiler asm.js lokihardt [3]
CVE-2017-8656 try Uninitialized Memory lokihardt [3]
CVE-2017-8657 Compiler asm.js lokihardt [3]
CVE-2017-8670 arguments Compiler, Uninitialize Memory lokihardt [3]
CVE-2017-8671 Function.call Integer Overflow lokihardt [3]
CVE-2017-8729 Parser Object lokihardt [3]
CVE-2017-8740 Parser Scope lokihardt [3]
CVE-2017-8755 Parser asm.js lokihardt [3]
CVE-2017-11764 Parser eval lokihardt [3]
CVE-2017-11799 Compiler JIT lokihardt [3]
CVE-2017-11802 Compiler String.replace, Type Confusion lokihardt [3]
CVE-2017-11809 Compiler Uninitialized Memory lokihardt [3]
CVE-2017-11811 Compiler Type confusion lokihardt [3]
CVE-2017-11839 Compiler JIT lokihardt [3]
CVE-2017-11840 Compiler JIT lokihardt [3]
CVE-2017-11841 Compiler JIT lokihardt [3]
CVE-2017-11861 Compiler Integer Overflow lokihardt [3]
CVE-2017-11870 Compiler JIT lokihardt [3]
CVE-2017-11873 Compiler JIT lokihardt [3]
CVE-2017-11893 Compiler JIT, Math lokihardt [3]
CVE-2017-11909 Compiler JIT lokihardt [3]
CVE-2017-11911 Compiler asm.js, OOB lokihardt [3]
CVE-2017-11914 Compiler Type Confusion lokihardt [3]
CVE-2017-11918 Compiler JIT lokihardt [3]
CVE-2018-0758 String Integer Overflow lokihardt [3]
CVE-2018-0767 Array OOB lokihardt [3]
CVE-2018-0769 Compiler JIT, OOB lokihardt [3]
CVE-2018-0770 Compiler JIT lokihardt [3]
CVE-2018-0774 Compiler Incorrect Scope lokihardt [3]
CVE-2018-0775 Compiler Incorrect Scope lokihardt [3]
CVE-2018-0776 Compiler JIT, Bailout lokihardt [3]
CVE-2018-0777 Compiler JIT lokihardt [3]
CVE-2018-0780 Compiler asm.js, OOB lokihardt [3]
CVE-2018-0834 Compiler Array, Type Confusion lokihardt [3]
CVE-2018-0835 Compiler Array.reverse, Type Confusion lokihardt [3]
CVE-2018-0837 Compiler JIT, Type Confusion lokihardt [3]
CVE-2018-0838 Compiler Array, Type Confusion lokihardt [3]
CVE-2018-0840 Compiler JIT lokihardt [3]
CVE-2018-0860 Compiler JIT, Information Leak lokihardt [3]
CVE-2018-0933 Compiler JIT, Bailout lokihardt [3]
CVE-2018-0934 Compiler JIT, Bailout lokihardt [3]
CVE-2018-0953 Compiler Type Confusion lokihardt [3]
CVE-2018-0980 Compiler Bound Check Elimination lokihardt [3]
CVE-2018-8139 Function OOB lokihardt [3]
CVE-2018-8145 JIT OOB lokihardt [3]
CVE-2018-8229 JIT Type Confusion lokihardt [3]
CVE-2018-8279 Parser Parameter Scope lokihardt [3]
CVE-2018-8288 Compiler JIT lokihardt [3]
CVE-2018-8291 Property Type confusion lokihardt [3]
CVE-2018-8298 Intl TimeFormat lokihardt [3]
CVE-2018-8355 JIT Type Confusion lokihardt [3]
CVE-2018-8384 PathTypeHandler Type Confusion lokihardt [3]
CVE-2018-8466 JIT Type Confusion lokihardt [3]
CVE-2018-8467 JIT Type Confusion lokihardt [3]

JavaScriptCore

CVE Number Feature Keywords Credit
CVE-2016-1857 Array.join Side Effect, Use After Free Liang Chen, Zhen Feng, wushi [2]
Jeonghoon Shin
CVE-2016-4622 Array.slice Side Effect, OOB Samuel Groß
CVE-2016-4734 TypedArray.copyWithin
TypedArray.fill
Side Effect, Detach Buffer Natalie Silvanovich [3]
CVE-2017-2446 Funciton.caller Type Confusion Natalie Silvanovich [3]
CVE-2017-2447 Function.bind OOB Natalie Silvanovich [3]
CVE-2017-2464 Array.concat Integer Overflow Natalie Silvanovich [3]
CVE-2017-2491 String.replace RegExp, Use After Free Samuel Groß, and Niklas Baumstark
CVE-2017-2521 Array.length OOB lokihardt [3]
CVE-2017-2531 OOB lokihardt [3]
CVE-2017-2536 Spread Operator Array, Integer Overflow Samuel Groß, and Niklas Baumstark
CVE-2017-2547 Optimization parseInt, Compiler, OOB lokihardt [3]
CVE-2017-6980 Array.splice Uninitialized Memory lokihardt [3]
CVE-2017-6984 Intl.getCanonicalLocales Heap Overflow lokihardt [3]
CVE-2017-7056 arguments Uninitialized Memory lokihardt [3]
CVE-2017-7061 Compiler for-in, Type Confusion lokihardt [3]
CVE-2017-7092 String.link Heap Overflow Samuel Groß and Niklas Baumstark
Qixun Zhao [5]
CVE-2017-7117 Compiler for-in, Type Confusion lokihardt [3]
CVE-2018-4233 Compiler Proxy, Array, Type Confusion Samuel Groß
CVE-2018-4382 Compiler Type Confusion lokihardt [3]
CVE-2018-4386 Compiler Incorrect Optimization lokihardt [3]
CVE-2018-4416 Compiler Type Confusion lokihardt [3]
CVE-2018-4438 Compiler Prototype Chains lokihardt [3]
CVE-2018-4441 JSArray OOB lokihardt [3]
CVE-2018-4443 AbstractValue Use After Free lokihardt [3]

SpiderMonkey

CVE Number Feature Keywords Credit
CVE-2014-1513 TypedArray.subarray OOB, Detach Buffer, Side Effect Jüri Aedla
CVE-2018-12387 Array.prototype.push Memory Disclosure Bruno Keith and Niklas Baumstark

JScript

CVE Number Feature Keywords Credit
CVE-2017-11793 JSON Use After Free ifratric [3]
CVE-2017-11855 Array.slice Uninitialized Variable ifratric [3]
CVE-2017-11890 RegExp Heap overflow ifratric [3]
CVE-2017-11903 Array.join Use After Free ifratric [3]
CVE-2017-11906 RegExp OOB ifratric [3]
CVE-2017-11907 Array.sort Heap overflow ifratric [3]
CVE-2018-0891 RegExp.lastMatch Memory Disclosure ifratric [3]
CVE-2018-0935 Array Use After Free ifratric [3]
CVE-2018-8353 RegExp Use After Free ifratric [3]
CVE-2018-8631 Array OOB ifratric [3]
CVE-2018-8389 ActiveXObject Use After Free Sudhakar Verma and Ashfaq Ansari[12]

[1] Qihoo 360
[2] Tencent KeenLab
[3] Google Project Zero
[4] Qihoo 360 Skyeye Labs
[5] Qihoo 360 Vulcan Team
[6] KAIST SoftSec
[7] Tencent Security Platform Department
[8] Naver Corporation
[9] Microsoft
[10] Tencent Zhanlu Lab
[11] Ant-financial Light-Year Security Lab
[12] Project Srishti