Awesome
Case Study of JavaScript Engine Vulnerabilities
V8
| CVE Number | Feature | Keywords | Credit |
|---|---|---|---|
| CVE-2013-6632 | TypedArray | Integer Overflow, OOB | Pinkie Pie |
| CVE-2014-1705 | TypedArray | Invalid Array Length, OOB | geohot |
| CVE-2014-3176 | Array.concat | Side Effect, OOB | lokihardt |
| CVE-2014-7927 | Optimization | asm.js, OOB | Christian Holler |
| CVE-2014-7928 | Optimization | Array | Christian Holler |
| CVE-2015-1233 | Optimization | Array, OOB | ? |
| CVE-2015-1242 | Optimization | Array, Type Confusion | fcole@onshape.com |
| CVE-2015-6764 | JSON.stringify | Side Effect, OOB, | Guang Gong [1] |
| CVE-2015-6771 | TypedArray.map | Prototype, OOB | ? |
| CVE-2015-8584 | JSON.stringify | Side Effect, OOB | ? |
| CVE-2016-1646 | Array.concat | Side Effect, OOB | Wen Xu [2] |
| CVE-2016-1653 | Optimization | asm.js, TypedArray, OOB | Choongwoo Han [6] |
| CVE-2016-1665 | Optimization | asm.js | HyungSeok Han [6] |
| CVE-2016-1669 | RegExp | Heap Overflow, Integer Overflow | Choongwoo Han [6] |
| CVE-2016-1677 | decodeURI | Side Effect, Information Leak | Guang Gong [1] |
| CVE-2016-1688 | RegExp | Max Korenko | |
| CVE-2016-5129 | Array | Side Effect | Jeonghoon Shin |
| CVE-2016-5172 | Parser | Scope, eval | Choongwoo Han [6] |
| CVE-2016-5198 | Optimization | parseInt, Compiler, OOB | Tencent Keen Security Lab |
| CVE-2016-5200 | Optimization | asm.js TypedArray, OOB | Choongwoo Han [6] |
| CVE-2016-9651 | Object.assign | Logic, Property | Guang Gong [1] |
| CVE-2017-5030 | Array.concat | Side Effect, OOB | Brendon Tiszka |
| CVE-2017-5040 | Array.indexOf | TypedArray, Side Effect, Detach Buffer | Choongwoo Han |
| CVE-2017-5053 | Array.indexOf | Side Effect | Team Sniper [2] |
| CVE-2017-5070 | Optimization | Array, Type Confusion | Zhao Qixun [5] |
| CVE-2017-5071 | Compiler | OOB | Choongwoo Han |
| CVE-2017-5088 | wasm | Information Leak | Xiling Gong [7] |
| CVE-2017-5098 | Parser | Use After Free | Jihoon Kim [6] |
| CVE-2017-5115 | Compiler | OOB | Marco Giovannini |
| CVE-2017-5116 | wasm | Race Condition | Guang Gong [1] |
| CVE-2017-5121 | Compiler | Uninitialized Memory | Jordan Rabet [9] |
| CVE-2017-5122 | wasm | OOB | Choongwoo Han [8] |
| CVE-2017-15399 | wasm | Use After Free | Zhao Qixun [5] |
| CVE-2017-15401 | wasm | Side Effect, OOB | ? |
| CVE-2018-6056 | Object | OOB | lokihardt [3] |
| CVE-2018-6061 | wasm | Race Condition | Guang Gong [1] |
| CVE-2018-6064 | Object.entries | Side Effect, OOB | lokihardt [3] |
| CVE-2018-6065 | Object | Integer Overflow | Mark Brand [3] |
| CVE-2018-6092 | wasm | Integer Overflow | Natalie Silvanovich [3] |
| CVE-2018-6106 | async generator | Side Effect, Type Confusion | lokihardt [3] |
| CVE-2018-6122 | wasm | async, Side Effect, Type Confusion | ? |
| CVE-2018-6136 | RegExp | Side Effect, Type Confusion | Peter Wong |
| CVE-2018-6142 | Map | Information Leak, OOB | Choongwoo Han [8] |
| CVE-2018-6143 | RegExp | Side Effect, OOB | Guang Gong [1] |
| CVE-2018-6149 | String.split | Allocator, OOB | Yu Zhou and Jundong Xie [11] |
| CVE-2018-16065 | TypedArray.of | Side Effect, OOB, Detach Buffer | Brendon Tiszka |
| CVE-2018-17463 | Compiler | Object.create | Samuel Gross |
| CVE-2019-5755 | Compiler | OOB | Jay Bosamiya |
| CVE-2019-5782 | Compiler | OOB | Zhao Qixun [5] |
| CVE-2019-5784 | Optimization | Allocator | lupin |
ChakraCore
| CVE Number | Feature | Keywords | Credit |
|---|---|---|---|
| CVE-2016-3386 | Spread Operator | Array, Proxy, Stack Overflow | Richard Zhu |
| CVE-2016-7189 | Array.join | Information Leak | Natalie Silvanovich [3] |
| CVE-2016-7190 | Array.map | Heap Overflow | Natalie Silvanovich [3] |
| CVE-2016-7194 | Function.apply | Information Leak | Natalie Silvanovich [3] |
| CVE-2016-7200 | Array.filter | Heap Corruption | Natalie Silvanovich [3] |
| CVE-2016-7201 | Array | Prototype, Type Confusion | Natalie Silvanovich [3] |
| CVE-2016-7202 | Array.reverse | Overflow | Natalie Silvanovich [3] |
| CVE-2016-7203 | Array.splice | Heap Overflow | Natalie Silvanovich [3] |
| CVE-2016-7240 | eval | Proxy, Type Confusion | Natalie Silvanovich [3] |
| CVE-2016-7241 | JSON.parse | Information Leak | Natalie Silvanovich [3] |
| CVE-2016-7286 | SIMD.toLocaleString | Uninitialized Memory | Natalie Silvanovich [3] |
| CVE-2016-7287 | Intl | Initialization, Type Confusion | Natalie Silvanovich [3] |
| CVE-2016-7288 | TypedArray.sort | Side Effect, Detach Buffer | Natalie Silvanovich [3] |
| CVE-2017-0015 | Spread Operator | Side Effect, Uninitialized Memory | Qixun Zhao [4]<br/> lokihart<br/> Simon Zuckerbraun |
| CVE-2017-0071 | Optimization | Array, Type Confusion | lokihardt [3] |
| CVE-2017-0134 | Array.concat | Side Effect, Type Confusion | Jordan Rabet |
| CVE-2017-0141 | Array.reverse | Side Effect | Semmle Inc |
| CVE-2017-0234 | ArrayBuffer | OOB | Yuange [10] |
| CVE-2017-0236 | ArrayBuffer | UAF | Tencent Security Lance Team <br/> Yuki Chen [5] |
| CVE-2017-8548 | Optimization | Array | lokihardt [3] |
| CVE-2017-8601 | Optimization | Array | lokihardt [3] |
| CVE-2017-8634 | Array.concat | Side Effect | Hao Lian [5]<br/>HyungSeok Han [6] |
| CVE-2017-8636 | Compiler | Integer Overflow | lokihardt [3] |
| CVE-2017-8640 | arguments, | Compiler, Uninitialize Memory | lokihardt [3] |
| CVE-2017-8645 | Compiler | asm.js | lokihardt [3] |
| CVE-2017-8646 | Compiler | asm.js | lokihardt [3] |
| CVE-2017-8656 | try | Uninitialized Memory | lokihardt [3] |
| CVE-2017-8657 | Compiler | asm.js | lokihardt [3] |
| CVE-2017-8670 | arguments | Compiler, Uninitialize Memory | lokihardt [3] |
| CVE-2017-8671 | Function.call | Integer Overflow | lokihardt [3] |
| CVE-2017-8729 | Parser | Object | lokihardt [3] |
| CVE-2017-8740 | Parser | Scope | lokihardt [3] |
| CVE-2017-8755 | Parser | asm.js | lokihardt [3] |
| CVE-2017-11764 | Parser | eval | lokihardt [3] |
| CVE-2017-11799 | Compiler | JIT | lokihardt [3] |
| CVE-2017-11802 | Compiler | String.replace, Type Confusion | lokihardt [3] |
| CVE-2017-11809 | Compiler | Uninitialized Memory | lokihardt [3] |
| CVE-2017-11811 | Compiler | Type confusion | lokihardt [3] |
| CVE-2017-11839 | Compiler | JIT | lokihardt [3] |
| CVE-2017-11840 | Compiler | JIT | lokihardt [3] |
| CVE-2017-11841 | Compiler | JIT | lokihardt [3] |
| CVE-2017-11861 | Compiler | Integer Overflow | lokihardt [3] |
| CVE-2017-11870 | Compiler | JIT | lokihardt [3] |
| CVE-2017-11873 | Compiler | JIT | lokihardt [3] |
| CVE-2017-11893 | Compiler | JIT, Math | lokihardt [3] |
| CVE-2017-11909 | Compiler | JIT | lokihardt [3] |
| CVE-2017-11911 | Compiler | asm.js, OOB | lokihardt [3] |
| CVE-2017-11914 | Compiler | Type Confusion | lokihardt [3] |
| CVE-2017-11918 | Compiler | JIT | lokihardt [3] |
| CVE-2018-0758 | String | Integer Overflow | lokihardt [3] |
| CVE-2018-0767 | Array | OOB | lokihardt [3] |
| CVE-2018-0769 | Compiler | JIT, OOB | lokihardt [3] |
| CVE-2018-0770 | Compiler | JIT | lokihardt [3] |
| CVE-2018-0774 | Compiler | Incorrect Scope | lokihardt [3] |
| CVE-2018-0775 | Compiler | Incorrect Scope | lokihardt [3] |
| CVE-2018-0776 | Compiler | JIT, Bailout | lokihardt [3] |
| CVE-2018-0777 | Compiler | JIT | lokihardt [3] |
| CVE-2018-0780 | Compiler | asm.js, OOB | lokihardt [3] |
| CVE-2018-0834 | Compiler | Array, Type Confusion | lokihardt [3] |
| CVE-2018-0835 | Compiler | Array.reverse, Type Confusion | lokihardt [3] |
| CVE-2018-0837 | Compiler | JIT, Type Confusion | lokihardt [3] |
| CVE-2018-0838 | Compiler | Array, Type Confusion | lokihardt [3] |
| CVE-2018-0840 | Compiler | JIT | lokihardt [3] |
| CVE-2018-0860 | Compiler | JIT, Information Leak | lokihardt [3] |
| CVE-2018-0933 | Compiler | JIT, Bailout | lokihardt [3] |
| CVE-2018-0934 | Compiler | JIT, Bailout | lokihardt [3] |
| CVE-2018-0953 | Compiler | Type Confusion | lokihardt [3] |
| CVE-2018-0980 | Compiler | Bound Check Elimination | lokihardt [3] |
| CVE-2018-8139 | Function | OOB | lokihardt [3] |
| CVE-2018-8145 | JIT | OOB | lokihardt [3] |
| CVE-2018-8229 | JIT | Type Confusion | lokihardt [3] |
| CVE-2018-8279 | Parser | Parameter Scope | lokihardt [3] |
| CVE-2018-8288 | Compiler | JIT | lokihardt [3] |
| CVE-2018-8291 | Property | Type confusion | lokihardt [3] |
| CVE-2018-8298 | Intl | TimeFormat | lokihardt [3] |
| CVE-2018-8355 | JIT | Type Confusion | lokihardt [3] |
| CVE-2018-8384 | PathTypeHandler | Type Confusion | lokihardt [3] |
| CVE-2018-8466 | JIT | Type Confusion | lokihardt [3] |
| CVE-2018-8467 | JIT | Type Confusion | lokihardt [3] |
| CVE-2018-8617 | Optimization | Type Confusion | lokihardt [3] |
| CVE-2019-0539 | JIT | Type Confusion | lokihardt [3] |
| CVE-2019-0567 | JIT | Type Confusion | lokihardt [3] |
| CVE-2019-0568 | JIT | Use After Free | lokihardt [3] |
JavaScriptCore
| CVE Number | Feature | Keywords | Credit |
|---|---|---|---|
| CVE-2016-1857 | Array.join | Side Effect, Use After Free | Liang Chen, Zhen Feng, wushi [2]<br/> Jeonghoon Shin |
| CVE-2016-4622 | Array.slice | Side Effect, OOB | Samuel Groß |
| CVE-2016-4734 | TypedArray.copyWithin<br/> TypedArray.fill | Side Effect, Detach Buffer | Natalie Silvanovich [3] |
| CVE-2017-2446 | Funciton.caller | Type Confusion | Natalie Silvanovich [3] |
| CVE-2017-2447 | Function.bind | OOB | Natalie Silvanovich [3] |
| CVE-2017-2464 | Array.concat | Integer Overflow | Natalie Silvanovich [3] |
| CVE-2017-2491 | String.replace | RegExp, Use After Free | Samuel Groß, and Niklas Baumstark |
| CVE-2017-2521 | Array.length | OOB | lokihardt [3] |
| CVE-2017-2531 | OOB | lokihardt [3] | |
| CVE-2017-2536 | Spread Operator | Array, Integer Overflow | Samuel Groß, and Niklas Baumstark |
| CVE-2017-2547 | Optimization | parseInt, Compiler, OOB | lokihardt [3] |
| CVE-2017-6980 | Array.splice | Uninitialized Memory | lokihardt [3] |
| CVE-2017-6984 | Intl.getCanonicalLocales | Heap Overflow | lokihardt [3] |
| CVE-2017-7056 | arguments | Uninitialized Memory | lokihardt [3] |
| CVE-2017-7061 | Compiler | for-in, Type Confusion | lokihardt [3] |
| CVE-2017-7092 | String.link | Heap Overflow | Samuel Groß and Niklas Baumstark<br>Qixun Zhao [5] |
| CVE-2017-7117 | Compiler | for-in, Type Confusion | lokihardt [3] |
| CVE-2018-4233 | Compiler | Proxy, Array, Type Confusion | Samuel Groß |
| CVE-2018-4382 | Compiler | Type Confusion | lokihardt [3] |
| CVE-2018-4386 | Compiler | Incorrect Optimization | lokihardt [3] |
| CVE-2018-4416 | Compiler | Type Confusion | lokihardt [3] |
| CVE-2018-4438 | Compiler | Prototype Chains | lokihardt [3] |
| CVE-2018-4441 | JSArray | OOB | lokihardt [3] |
| CVE-2018-4442 | JIT | Use After Free | lokihardt [3] |
| CVE-2018-4443 | AbstractValue | Use After Free | lokihardt [3] |
| CVE-2019-6215 | Optimization | Type Confusion | lokihardt [3] |
| CVE-2019-8506 | RegExp | Type Confusion | Samuel Groß [3] |
| CVE-2019-8518 | JIT | OOB | Samuel Groß [3] |
| CVE-2019-8558 | CodeBlock | UAF | Samuel Groß [3] |
SpiderMonkey
| CVE Number | Feature | Keywords | Credit |
|---|---|---|---|
| CVE-2014-1513 | TypedArray.subarray | OOB, Detach Buffer, Side Effect | Jüri Aedla |
| CVE-2018-12387 | Array.prototype.push | Memory Disclosure | Bruno Keith and Niklas Baumstark |
| CVE-2019-9791 | OSR, JIT | Type Confusions | Samuel Groß [3] |
| CVE-2019-9813 | Prototype, JIT | Type Confusions | Samuel Groß [3] |
JScript
| CVE Number | Feature | Keywords | Credit |
|---|---|---|---|
| CVE-2017-11793 | JSON | Use After Free | ifratric [3] |
| CVE-2017-11855 | Array.slice | Uninitialized Variable | ifratric [3] |
| CVE-2017-11890 | RegExp | Heap overflow | ifratric [3] |
| CVE-2017-11903 | Array.join | Use After Free | ifratric [3] |
| CVE-2017-11906 | RegExp | OOB | ifratric [3] |
| CVE-2017-11907 | Array.sort | Heap overflow | ifratric [3] |
| CVE-2018-0891 | RegExp.lastMatch | Memory Disclosure | ifratric [3] |
| CVE-2018-0935 | Array | Use After Free | ifratric [3] |
| CVE-2018-8353 | RegExp | Use After Free | ifratric [3] |
| CVE-2018-8631 | Array | OOB | ifratric [3] |
| CVE-2018-8389 | ActiveXObject | Use After Free | Sudhakar Verma and Ashfaq Ansari[12] |
| CVE-2019-0930 | getVarDate | Use After Free | Krishnakant Patil and Siddhant Badhe[12] |
<a name="qihoo360"></a>[1] Qihoo 360
<a name="keenlab"></a>[2] Tencent KeenLab
<a name="projectzero"></a>[3] Google Project Zero
<a name="qihoo360skyeye"></a>[4] Qihoo 360 Skyeye Labs
<a name="qihoo360vulcan"></a>[5] Qihoo 360 Vulcan Team
<a name="kaistsoftsec"></a>[6] KAIST SoftSec
<a name="tencentplatform"></a>[7] Tencent Security Platform Department
<a name="naver"></a>[8] Naver Corporation
<a name="microsoft"></a>[9] Microsoft
<a name="zhanlulab"></a>[10] Tencent Zhanlu Lab
<a name="afly"></a>[11] Ant-financial Light-Year Security Lab
<a name="srishti"></a>[12] Project Srishti