Case Study of JavaScript Engine Vulnerabilities

V8

CVE Number	Feature	Keywords	Credit
CVE-2013-6632	TypedArray	Integer Overflow, OOB	Pinkie Pie
CVE-2014-1705	TypedArray	Invalid Array Length, OOB	geohot
CVE-2014-3176	Array.concat	Side Effect, OOB	lokihardt
CVE-2014-7927	Optimization	asm.js, OOB	Christian Holler
CVE-2014-7928	Optimization	Array	Christian Holler
CVE-2015-1233	Optimization	Array, OOB	?
CVE-2015-1242	Optimization	Array, Type Confusion	fcole@onshape.com
CVE-2015-6764	JSON.stringify	Side Effect, OOB,	Guang Gong [1]
CVE-2015-6771	TypedArray.map	Prototype, OOB	?
CVE-2015-8584	JSON.stringify	Side Effect, OOB	?
CVE-2016-1646	Array.concat	Side Effect, OOB	Wen Xu [2]
CVE-2016-1653	Optimization	asm.js, TypedArray, OOB	Choongwoo Han [6]
CVE-2016-1665	Optimization	asm.js	HyungSeok Han [6]
CVE-2016-1669	RegExp	Heap Overflow, Integer Overflow	Choongwoo Han [6]
CVE-2016-1677	decodeURI	Side Effect, Information Leak	Guang Gong [1]
CVE-2016-1688	RegExp		Max Korenko
CVE-2016-5129	Array	Side Effect	Jeonghoon Shin
CVE-2016-5172	Parser	Scope, eval	Choongwoo Han [6]
CVE-2016-5198	Optimization	parseInt, Compiler, OOB	Tencent Keen Security Lab
CVE-2016-5200	Optimization	asm.js TypedArray, OOB	Choongwoo Han [6]
CVE-2016-9651	Object.assign	Logic, Property	Guang Gong [1]
CVE-2017-5030	Array.concat	Side Effect, OOB	Brendon Tiszka
CVE-2017-5040	Array.indexOf	TypedArray, Side Effect, Detach Buffer	Choongwoo Han
CVE-2017-5053	Array.indexOf	Side Effect	Team Sniper [2]
CVE-2017-5070	Optimization	Array, Type Confusion	Zhao Qixun [5]
CVE-2017-5071	Compiler	OOB	Choongwoo Han
CVE-2017-5088	wasm	Information Leak	Xiling Gong [7]
CVE-2017-5098	Parser	Use After Free	Jihoon Kim [6]
CVE-2017-5115	Compiler	OOB	Marco Giovannini
CVE-2017-5116	wasm	Race Condition	Guang Gong [1]
CVE-2017-5121	Compiler	Uninitialized Memory	Jordan Rabet [9]
CVE-2017-5122	wasm	OOB	Choongwoo Han [8]
CVE-2017-15399	wasm	Use After Free	Zhao Qixun [5]
CVE-2017-15401	wasm	Side Effect, OOB	?
CVE-2018-6056	Object	OOB	lokihardt [3]
CVE-2018-6061	wasm	Race Condition	Guang Gong [1]
CVE-2018-6064	Object.entries	Side Effect, OOB	lokihardt [3]
CVE-2018-6065	Object	Integer Overflow	Mark Brand [3]
CVE-2018-6092	wasm	Integer Overflow	Natalie Silvanovich [3]
CVE-2018-6106	async generator	Side Effect, Type Confusion	lokihardt [3]
CVE-2018-6122	wasm	async, Side Effect, Type Confusion	?
CVE-2018-6136	RegExp	Side Effect, Type Confusion	Peter Wong
CVE-2018-6142	Map	Information Leak, OOB	Choongwoo Han [8]
CVE-2018-6143	RegExp	Side Effect, OOB	Guang Gong [1]
CVE-2018-6149	String.split	Allocator, OOB	Yu Zhou and Jundong Xie [11]
CVE-2018-16065	TypedArray.of	Side Effect, OOB, Detach Buffer	Brendon Tiszka
CVE-2018-17463	Compiler	Object.create	Samuel Gross
CVE-2019-5755	Compiler	OOB	Jay Bosamiya
CVE-2019-5782	Compiler	OOB	Zhao Qixun [5]
CVE-2019-5784	Optimization	Allocator	lupin

ChakraCore

CVE Number	Feature	Keywords	Credit
CVE-2016-3386	Spread Operator	Array, Proxy, Stack Overflow	Richard Zhu
CVE-2016-7189	Array.join	Information Leak	Natalie Silvanovich [3]
CVE-2016-7190	Array.map	Heap Overflow	Natalie Silvanovich [3]
CVE-2016-7194	Function.apply	Information Leak	Natalie Silvanovich [3]
CVE-2016-7200	Array.filter	Heap Corruption	Natalie Silvanovich [3]
CVE-2016-7201	Array	Prototype, Type Confusion	Natalie Silvanovich [3]
CVE-2016-7202	Array.reverse	Overflow	Natalie Silvanovich [3]
CVE-2016-7203	Array.splice	Heap Overflow	Natalie Silvanovich [3]
CVE-2016-7240	eval	Proxy, Type Confusion	Natalie Silvanovich [3]
CVE-2016-7241	JSON.parse	Information Leak	Natalie Silvanovich [3]
CVE-2016-7286	SIMD.toLocaleString	Uninitialized Memory	Natalie Silvanovich [3]
CVE-2016-7287	Intl	Initialization, Type Confusion	Natalie Silvanovich [3]
CVE-2016-7288	TypedArray.sort	Side Effect, Detach Buffer	Natalie Silvanovich [3]
CVE-2017-0015	Spread Operator	Side Effect, Uninitialized Memory	Qixun Zhao [4] lokihart Simon Zuckerbraun
CVE-2017-0071	Optimization	Array, Type Confusion	lokihardt [3]
CVE-2017-0134	Array.concat	Side Effect, Type Confusion	Jordan Rabet
CVE-2017-0141	Array.reverse	Side Effect	Semmle Inc
CVE-2017-0234	ArrayBuffer	OOB	Yuange [10]
CVE-2017-0236	ArrayBuffer	UAF	Tencent Security Lance Team Yuki Chen [5]
CVE-2017-8548	Optimization	Array	lokihardt [3]
CVE-2017-8601	Optimization	Array	lokihardt [3]
CVE-2017-8634	Array.concat	Side Effect	Hao Lian [5] HyungSeok Han [6]
CVE-2017-8636	Compiler	Integer Overflow	lokihardt [3]
CVE-2017-8640	arguments,	Compiler, Uninitialize Memory	lokihardt [3]
CVE-2017-8645	Compiler	asm.js	lokihardt [3]
CVE-2017-8646	Compiler	asm.js	lokihardt [3]
CVE-2017-8656	try	Uninitialized Memory	lokihardt [3]
CVE-2017-8657	Compiler	asm.js	lokihardt [3]
CVE-2017-8670	arguments	Compiler, Uninitialize Memory	lokihardt [3]
CVE-2017-8671	Function.call	Integer Overflow	lokihardt [3]
CVE-2017-8729	Parser	Object	lokihardt [3]
CVE-2017-8740	Parser	Scope	lokihardt [3]
CVE-2017-8755	Parser	asm.js	lokihardt [3]
CVE-2017-11764	Parser	eval	lokihardt [3]
CVE-2017-11799	Compiler	JIT	lokihardt [3]
CVE-2017-11802	Compiler	String.replace, Type Confusion	lokihardt [3]
CVE-2017-11809	Compiler	Uninitialized Memory	lokihardt [3]
CVE-2017-11811	Compiler	Type confusion	lokihardt [3]
CVE-2017-11839	Compiler	JIT	lokihardt [3]
CVE-2017-11840	Compiler	JIT	lokihardt [3]
CVE-2017-11841	Compiler	JIT	lokihardt [3]
CVE-2017-11861	Compiler	Integer Overflow	lokihardt [3]
CVE-2017-11870	Compiler	JIT	lokihardt [3]
CVE-2017-11873	Compiler	JIT	lokihardt [3]
CVE-2017-11893	Compiler	JIT, Math	lokihardt [3]
CVE-2017-11909	Compiler	JIT	lokihardt [3]
CVE-2017-11911	Compiler	asm.js, OOB	lokihardt [3]
CVE-2017-11914	Compiler	Type Confusion	lokihardt [3]
CVE-2017-11918	Compiler	JIT	lokihardt [3]
CVE-2018-0758	String	Integer Overflow	lokihardt [3]
CVE-2018-0767	Array	OOB	lokihardt [3]
CVE-2018-0769	Compiler	JIT, OOB	lokihardt [3]
CVE-2018-0770	Compiler	JIT	lokihardt [3]
CVE-2018-0774	Compiler	Incorrect Scope	lokihardt [3]
CVE-2018-0775	Compiler	Incorrect Scope	lokihardt [3]
CVE-2018-0776	Compiler	JIT, Bailout	lokihardt [3]
CVE-2018-0777	Compiler	JIT	lokihardt [3]
CVE-2018-0780	Compiler	asm.js, OOB	lokihardt [3]
CVE-2018-0834	Compiler	Array, Type Confusion	lokihardt [3]
CVE-2018-0835	Compiler	Array.reverse, Type Confusion	lokihardt [3]
CVE-2018-0837	Compiler	JIT, Type Confusion	lokihardt [3]
CVE-2018-0838	Compiler	Array, Type Confusion	lokihardt [3]
CVE-2018-0840	Compiler	JIT	lokihardt [3]
CVE-2018-0860	Compiler	JIT, Information Leak	lokihardt [3]
CVE-2018-0933	Compiler	JIT, Bailout	lokihardt [3]
CVE-2018-0934	Compiler	JIT, Bailout	lokihardt [3]
CVE-2018-0953	Compiler	Type Confusion	lokihardt [3]
CVE-2018-0980	Compiler	Bound Check Elimination	lokihardt [3]
CVE-2018-8139	Function	OOB	lokihardt [3]
CVE-2018-8145	JIT	OOB	lokihardt [3]
CVE-2018-8229	JIT	Type Confusion	lokihardt [3]
CVE-2018-8279	Parser	Parameter Scope	lokihardt [3]
CVE-2018-8288	Compiler	JIT	lokihardt [3]
CVE-2018-8291	Property	Type confusion	lokihardt [3]
CVE-2018-8298	Intl	TimeFormat	lokihardt [3]
CVE-2018-8355	JIT	Type Confusion	lokihardt [3]
CVE-2018-8384	PathTypeHandler	Type Confusion	lokihardt [3]
CVE-2018-8466	JIT	Type Confusion	lokihardt [3]
CVE-2018-8467	JIT	Type Confusion	lokihardt [3]
CVE-2018-8617	Optimization	Type Confusion	lokihardt [3]
CVE-2019-0539	JIT	Type Confusion	lokihardt [3]
CVE-2019-0567	JIT	Type Confusion	lokihardt [3]
CVE-2019-0568	JIT	Use After Free	lokihardt [3]

JavaScriptCore

CVE Number	Feature	Keywords	Credit
CVE-2016-1857	Array.join	Side Effect, Use After Free	Liang Chen, Zhen Feng, wushi [2] Jeonghoon Shin
CVE-2016-4622	Array.slice	Side Effect, OOB	Samuel Groß
CVE-2016-4734	TypedArray.copyWithin TypedArray.fill	Side Effect, Detach Buffer	Natalie Silvanovich [3]
CVE-2017-2446	Funciton.caller	Type Confusion	Natalie Silvanovich [3]
CVE-2017-2447	Function.bind	OOB	Natalie Silvanovich [3]
CVE-2017-2464	Array.concat	Integer Overflow	Natalie Silvanovich [3]
CVE-2017-2491	String.replace	RegExp, Use After Free	Samuel Groß, and Niklas Baumstark
CVE-2017-2521	Array.length	OOB	lokihardt [3]
CVE-2017-2531		OOB	lokihardt [3]
CVE-2017-2536	Spread Operator	Array, Integer Overflow	Samuel Groß, and Niklas Baumstark
CVE-2017-2547	Optimization	parseInt, Compiler, OOB	lokihardt [3]
CVE-2017-6980	Array.splice	Uninitialized Memory	lokihardt [3]
CVE-2017-6984	Intl.getCanonicalLocales	Heap Overflow	lokihardt [3]
CVE-2017-7056	arguments	Uninitialized Memory	lokihardt [3]
CVE-2017-7061	Compiler	for-in, Type Confusion	lokihardt [3]
CVE-2017-7092	String.link	Heap Overflow	Samuel Groß and Niklas Baumstark Qixun Zhao [5]
CVE-2017-7117	Compiler	for-in, Type Confusion	lokihardt [3]
CVE-2018-4233	Compiler	Proxy, Array, Type Confusion	Samuel Groß
CVE-2018-4382	Compiler	Type Confusion	lokihardt [3]
CVE-2018-4386	Compiler	Incorrect Optimization	lokihardt [3]
CVE-2018-4416	Compiler	Type Confusion	lokihardt [3]
CVE-2018-4438	Compiler	Prototype Chains	lokihardt [3]
CVE-2018-4441	JSArray	OOB	lokihardt [3]
CVE-2018-4442	JIT	Use After Free	lokihardt [3]
CVE-2018-4443	AbstractValue	Use After Free	lokihardt [3]
CVE-2019-6215	Optimization	Type Confusion	lokihardt [3]
CVE-2019-8506	RegExp	Type Confusion	Samuel Groß [3]
CVE-2019-8518	JIT	OOB	Samuel Groß [3]
CVE-2019-8558	CodeBlock	UAF	Samuel Groß [3]

SpiderMonkey

CVE Number	Feature	Keywords	Credit
CVE-2014-1513	TypedArray.subarray	OOB, Detach Buffer, Side Effect	Jüri Aedla
CVE-2018-12387	Array.prototype.push	Memory Disclosure	Bruno Keith and Niklas Baumstark
CVE-2019-9791	OSR, JIT	Type Confusions	Samuel Groß [3]
CVE-2019-9813	Prototype, JIT	Type Confusions	Samuel Groß [3]

JScript

CVE Number	Feature	Keywords	Credit
CVE-2017-11793	JSON	Use After Free	ifratric [3]
CVE-2017-11855	Array.slice	Uninitialized Variable	ifratric [3]
CVE-2017-11890	RegExp	Heap overflow	ifratric [3]
CVE-2017-11903	Array.join	Use After Free	ifratric [3]
CVE-2017-11906	RegExp	OOB	ifratric [3]
CVE-2017-11907	Array.sort	Heap overflow	ifratric [3]
CVE-2018-0891	RegExp.lastMatch	Memory Disclosure	ifratric [3]
CVE-2018-0935	Array	Use After Free	ifratric [3]
CVE-2018-8353	RegExp	Use After Free	ifratric [3]
CVE-2018-8631	Array	OOB	ifratric [3]
CVE-2018-8389	ActiveXObject	Use After Free	Sudhakar Verma and Ashfaq Ansari[12]
CVE-2019-0930	getVarDate	Use After Free	Krishnakant Patil and Siddhant Badhe[12]

[1] Qihoo 360
[2] Tencent KeenLab
[3] Google Project Zero
[4] Qihoo 360 Skyeye Labs
[5] Qihoo 360 Vulcan Team
[6] KAIST SoftSec
[7] Tencent Security Platform Department
[8] Naver Corporation
[9] Microsoft
[10] Tencent Zhanlu Lab
[11] Ant-financial Light-Year Security Lab
[12] Project Srishti

tunz / js-vuln-db

Case Study of JavaScript Engine Vulnerabilities

V8

ChakraCore

JavaScriptCore

SpiderMonkey

JScript

About