Home

Awesome

Case Study of JavaScript Engine Vulnerabilities

V8

CVE NumberFeatureKeywordsCredit
CVE-2013-6632TypedArrayInteger Overflow, OOBPinkie Pie
CVE-2014-1705TypedArrayInvalid Array Length, OOBgeohot
CVE-2014-3176Array.concatSide Effect, OOBlokihardt
CVE-2014-7927Optimizationasm.js, OOBChristian Holler
CVE-2014-7928OptimizationArrayChristian Holler
CVE-2015-1233OptimizationArray, OOB?
CVE-2015-1242OptimizationArray, Type Confusionfcole@onshape.com
CVE-2015-6764JSON.stringifySide Effect, OOB,Guang Gong [1]
CVE-2015-6771TypedArray.mapPrototype, OOB?
CVE-2015-8584JSON.stringifySide Effect, OOB?
CVE-2016-1646Array.concatSide Effect, OOBWen Xu [2]
CVE-2016-1653Optimizationasm.js, TypedArray, OOBChoongwoo Han [6]
CVE-2016-1665Optimizationasm.jsHyungSeok Han [6]
CVE-2016-1669RegExpHeap Overflow, Integer OverflowChoongwoo Han [6]
CVE-2016-1677decodeURISide Effect, Information LeakGuang Gong [1]
CVE-2016-1688RegExpMax Korenko
CVE-2016-5129ArraySide EffectJeonghoon Shin
CVE-2016-5172ParserScope, evalChoongwoo Han [6]
CVE-2016-5198OptimizationparseInt, Compiler, OOBTencent Keen Security Lab
CVE-2016-5200Optimizationasm.js TypedArray, OOBChoongwoo Han [6]
CVE-2016-9651Object.assignLogic, PropertyGuang Gong [1]
CVE-2017-5030Array.concatSide Effect, OOBBrendon Tiszka
CVE-2017-5040Array.indexOfTypedArray, Side Effect, Detach BufferChoongwoo Han
CVE-2017-5053Array.indexOfSide EffectTeam Sniper [2]
CVE-2017-5070OptimizationArray, Type ConfusionZhao Qixun [5]
CVE-2017-5071CompilerOOBChoongwoo Han
CVE-2017-5088wasmInformation LeakXiling Gong [7]
CVE-2017-5098ParserUse After FreeJihoon Kim [6]
CVE-2017-5115CompilerOOBMarco Giovannini
CVE-2017-5116wasmRace ConditionGuang Gong [1]
CVE-2017-5121CompilerUninitialized MemoryJordan Rabet [9]
CVE-2017-5122wasmOOBChoongwoo Han [8]
CVE-2017-15399wasmUse After FreeZhao Qixun [5]
CVE-2017-15401wasmSide Effect, OOB?
CVE-2018-6056ObjectOOBlokihardt [3]
CVE-2018-6061wasmRace ConditionGuang Gong [1]
CVE-2018-6064Object.entriesSide Effect, OOBlokihardt [3]
CVE-2018-6065ObjectInteger OverflowMark Brand [3]
CVE-2018-6092wasmInteger OverflowNatalie Silvanovich [3]
CVE-2018-6106async generatorSide Effect, Type Confusionlokihardt [3]
CVE-2018-6122wasmasync, Side Effect, Type Confusion?
CVE-2018-6136RegExpSide Effect, Type ConfusionPeter Wong
CVE-2018-6142MapInformation Leak, OOBChoongwoo Han [8]
CVE-2018-6143RegExpSide Effect, OOBGuang Gong [1]
CVE-2018-6149String.splitAllocator, OOBYu Zhou and Jundong Xie [11]
CVE-2018-16065TypedArray.ofSide Effect, OOB, Detach BufferBrendon Tiszka
CVE-2018-17463CompilerObject.createSamuel Gross
CVE-2019-5755CompilerOOBJay Bosamiya
CVE-2019-5782CompilerOOBZhao Qixun [5]
CVE-2019-5784OptimizationAllocatorlupin

ChakraCore

CVE NumberFeatureKeywordsCredit
CVE-2016-3386Spread OperatorArray, Proxy, Stack OverflowRichard Zhu
CVE-2016-7189Array.joinInformation LeakNatalie Silvanovich [3]
CVE-2016-7190Array.mapHeap OverflowNatalie Silvanovich [3]
CVE-2016-7194Function.applyInformation LeakNatalie Silvanovich [3]
CVE-2016-7200Array.filterHeap CorruptionNatalie Silvanovich [3]
CVE-2016-7201ArrayPrototype, Type ConfusionNatalie Silvanovich [3]
CVE-2016-7202Array.reverseOverflowNatalie Silvanovich [3]
CVE-2016-7203Array.spliceHeap OverflowNatalie Silvanovich [3]
CVE-2016-7240evalProxy, Type ConfusionNatalie Silvanovich [3]
CVE-2016-7241JSON.parseInformation LeakNatalie Silvanovich [3]
CVE-2016-7286SIMD.toLocaleStringUninitialized MemoryNatalie Silvanovich [3]
CVE-2016-7287IntlInitialization, Type ConfusionNatalie Silvanovich [3]
CVE-2016-7288TypedArray.sortSide Effect, Detach BufferNatalie Silvanovich [3]
CVE-2017-0015Spread OperatorSide Effect, Uninitialized MemoryQixun Zhao [4]<br/> lokihart<br/> Simon Zuckerbraun
CVE-2017-0071OptimizationArray, Type Confusionlokihardt [3]
CVE-2017-0134Array.concatSide Effect, Type ConfusionJordan Rabet
CVE-2017-0141Array.reverseSide EffectSemmle Inc
CVE-2017-0234ArrayBufferOOBYuange [10]
CVE-2017-0236ArrayBufferUAFTencent Security Lance Team <br/> Yuki Chen [5]
CVE-2017-8548OptimizationArraylokihardt [3]
CVE-2017-8601OptimizationArraylokihardt [3]
CVE-2017-8634Array.concatSide EffectHao Lian [5]<br/>HyungSeok Han [6]
CVE-2017-8636CompilerInteger Overflowlokihardt [3]
CVE-2017-8640arguments,Compiler, Uninitialize Memorylokihardt [3]
CVE-2017-8645Compilerasm.jslokihardt [3]
CVE-2017-8646Compilerasm.jslokihardt [3]
CVE-2017-8656tryUninitialized Memorylokihardt [3]
CVE-2017-8657Compilerasm.jslokihardt [3]
CVE-2017-8670argumentsCompiler, Uninitialize Memorylokihardt [3]
CVE-2017-8671Function.callInteger Overflowlokihardt [3]
CVE-2017-8729ParserObjectlokihardt [3]
CVE-2017-8740ParserScopelokihardt [3]
CVE-2017-8755Parserasm.jslokihardt [3]
CVE-2017-11764Parserevallokihardt [3]
CVE-2017-11799CompilerJITlokihardt [3]
CVE-2017-11802CompilerString.replace, Type Confusionlokihardt [3]
CVE-2017-11809CompilerUninitialized Memorylokihardt [3]
CVE-2017-11811CompilerType confusionlokihardt [3]
CVE-2017-11839CompilerJITlokihardt [3]
CVE-2017-11840CompilerJITlokihardt [3]
CVE-2017-11841CompilerJITlokihardt [3]
CVE-2017-11861CompilerInteger Overflowlokihardt [3]
CVE-2017-11870CompilerJITlokihardt [3]
CVE-2017-11873CompilerJITlokihardt [3]
CVE-2017-11893CompilerJIT, Mathlokihardt [3]
CVE-2017-11909CompilerJITlokihardt [3]
CVE-2017-11911Compilerasm.js, OOBlokihardt [3]
CVE-2017-11914CompilerType Confusionlokihardt [3]
CVE-2017-11918CompilerJITlokihardt [3]
CVE-2018-0758StringInteger Overflowlokihardt [3]
CVE-2018-0767ArrayOOBlokihardt [3]
CVE-2018-0769CompilerJIT, OOBlokihardt [3]
CVE-2018-0770CompilerJITlokihardt [3]
CVE-2018-0774CompilerIncorrect Scopelokihardt [3]
CVE-2018-0775CompilerIncorrect Scopelokihardt [3]
CVE-2018-0776CompilerJIT, Bailoutlokihardt [3]
CVE-2018-0777CompilerJITlokihardt [3]
CVE-2018-0780Compilerasm.js, OOBlokihardt [3]
CVE-2018-0834CompilerArray, Type Confusionlokihardt [3]
CVE-2018-0835CompilerArray.reverse, Type Confusionlokihardt [3]
CVE-2018-0837CompilerJIT, Type Confusionlokihardt [3]
CVE-2018-0838CompilerArray, Type Confusionlokihardt [3]
CVE-2018-0840CompilerJITlokihardt [3]
CVE-2018-0860CompilerJIT, Information Leaklokihardt [3]
CVE-2018-0933CompilerJIT, Bailoutlokihardt [3]
CVE-2018-0934CompilerJIT, Bailoutlokihardt [3]
CVE-2018-0953CompilerType Confusionlokihardt [3]
CVE-2018-0980CompilerBound Check Eliminationlokihardt [3]
CVE-2018-8139FunctionOOBlokihardt [3]
CVE-2018-8145JITOOBlokihardt [3]
CVE-2018-8229JITType Confusionlokihardt [3]
CVE-2018-8279ParserParameter Scopelokihardt [3]
CVE-2018-8288CompilerJITlokihardt [3]
CVE-2018-8291PropertyType confusionlokihardt [3]
CVE-2018-8298IntlTimeFormatlokihardt [3]
CVE-2018-8355JITType Confusionlokihardt [3]
CVE-2018-8384PathTypeHandlerType Confusionlokihardt [3]
CVE-2018-8466JITType Confusionlokihardt [3]
CVE-2018-8467JITType Confusionlokihardt [3]
CVE-2018-8617OptimizationType Confusionlokihardt [3]
CVE-2019-0539JITType Confusionlokihardt [3]
CVE-2019-0567JITType Confusionlokihardt [3]
CVE-2019-0568JITUse After Freelokihardt [3]

JavaScriptCore

CVE NumberFeatureKeywordsCredit
CVE-2016-1857Array.joinSide Effect, Use After FreeLiang Chen, Zhen Feng, wushi [2]<br/> Jeonghoon Shin
CVE-2016-4622Array.sliceSide Effect, OOBSamuel Groß
CVE-2016-4734TypedArray.copyWithin<br/> TypedArray.fillSide Effect, Detach BufferNatalie Silvanovich [3]
CVE-2017-2446Funciton.callerType ConfusionNatalie Silvanovich [3]
CVE-2017-2447Function.bindOOBNatalie Silvanovich [3]
CVE-2017-2464Array.concatInteger OverflowNatalie Silvanovich [3]
CVE-2017-2491String.replaceRegExp, Use After FreeSamuel Groß, and Niklas Baumstark
CVE-2017-2521Array.lengthOOBlokihardt [3]
CVE-2017-2531OOBlokihardt [3]
CVE-2017-2536Spread OperatorArray, Integer OverflowSamuel Groß, and Niklas Baumstark
CVE-2017-2547OptimizationparseInt, Compiler, OOBlokihardt [3]
CVE-2017-6980Array.spliceUninitialized Memorylokihardt [3]
CVE-2017-6984Intl.getCanonicalLocalesHeap Overflowlokihardt [3]
CVE-2017-7056argumentsUninitialized Memorylokihardt [3]
CVE-2017-7061Compilerfor-in, Type Confusionlokihardt [3]
CVE-2017-7092String.linkHeap OverflowSamuel Groß and Niklas Baumstark<br>Qixun Zhao [5]
CVE-2017-7117Compilerfor-in, Type Confusionlokihardt [3]
CVE-2018-4233CompilerProxy, Array, Type ConfusionSamuel Groß
CVE-2018-4382CompilerType Confusionlokihardt [3]
CVE-2018-4386CompilerIncorrect Optimizationlokihardt [3]
CVE-2018-4416CompilerType Confusionlokihardt [3]
CVE-2018-4438CompilerPrototype Chainslokihardt [3]
CVE-2018-4441JSArrayOOBlokihardt [3]
CVE-2018-4442JITUse After Freelokihardt [3]
CVE-2018-4443AbstractValueUse After Freelokihardt [3]
CVE-2019-6215OptimizationType Confusionlokihardt [3]
CVE-2019-8506RegExpType ConfusionSamuel Groß [3]
CVE-2019-8518JITOOBSamuel Groß [3]
CVE-2019-8558CodeBlockUAFSamuel Groß [3]

SpiderMonkey

CVE NumberFeatureKeywordsCredit
CVE-2014-1513TypedArray.subarrayOOB, Detach Buffer, Side EffectJüri Aedla
CVE-2018-12387Array.prototype.pushMemory DisclosureBruno Keith and Niklas Baumstark
CVE-2019-9791OSR, JITType ConfusionsSamuel Groß [3]
CVE-2019-9813Prototype, JITType ConfusionsSamuel Groß [3]

JScript

CVE NumberFeatureKeywordsCredit
CVE-2017-11793JSONUse After Freeifratric [3]
CVE-2017-11855Array.sliceUninitialized Variableifratric [3]
CVE-2017-11890RegExpHeap overflowifratric [3]
CVE-2017-11903Array.joinUse After Freeifratric [3]
CVE-2017-11906RegExpOOBifratric [3]
CVE-2017-11907Array.sortHeap overflowifratric [3]
CVE-2018-0891RegExp.lastMatchMemory Disclosureifratric [3]
CVE-2018-0935ArrayUse After Freeifratric [3]
CVE-2018-8353RegExpUse After Freeifratric [3]
CVE-2018-8631ArrayOOBifratric [3]
CVE-2018-8389ActiveXObjectUse After FreeSudhakar Verma and Ashfaq Ansari[12]
CVE-2019-0930getVarDateUse After FreeKrishnakant Patil and Siddhant Badhe[12]

<a name="qihoo360"></a>[1] Qihoo 360
<a name="keenlab"></a>[2] Tencent KeenLab
<a name="projectzero"></a>[3] Google Project Zero
<a name="qihoo360skyeye"></a>[4] Qihoo 360 Skyeye Labs
<a name="qihoo360vulcan"></a>[5] Qihoo 360 Vulcan Team
<a name="kaistsoftsec"></a>[6] KAIST SoftSec
<a name="tencentplatform"></a>[7] Tencent Security Platform Department
<a name="naver"></a>[8] Naver Corporation
<a name="microsoft"></a>[9] Microsoft
<a name="zhanlulab"></a>[10] Tencent Zhanlu Lab
<a name="afly"></a>[11] Ant-financial Light-Year Security Lab
<a name="srishti"></a>[12] Project Srishti