7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-7189

GHSA ID

GHSA-vr4j-gj8q-m89v

EPSS Score

0.9904%

CWE

CWE-119

Published

5/14/2022

Updated

11/1/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-7189

CVE-2016-7189: ChakraCore RCE Vulnerability

The Chakra JavaScript engine in Microsoft Edge allows remote attackers to execute arbitrary code via a crafted web site, aka "Scripting Engine Remote Code Execution Vulnerability."

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-7189

GHSA ID

GHSA-vr4j-gj8q-m89v

EPSS Score

0.9904%

CWE

CWE-119

Published

5/14/2022

Updated

11/1/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Microsoft.ChakraCore	nuget	< 1.2.1	1.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from: 1) Type confusion in array operations (TemplatedGetItem/MapHelper) due to prototype chain side-effects, 2) Missing integrity checks in JIT compilation (Encoder::Encode), and 3) Unsafe spread optimizations. The commit adds CRC validation, prototype gap checks, and replaces unsafe TemplatedGetItem with TryTemplatedGetItem, directly addressing these vulnerable patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** ***kr* J*v*S*ript *n*in* in Mi*roso*t **** *llows r*mot* *tt**k*rs to *x**ut* *r*itr*ry *o** vi* * *r**t** w** sit*, *k* "S*riptin* *n*in* R*mot* *o** *x**ution Vuln*r**ility."

Reasoning

T** vuln*r**ility st*ms *rom: *) Typ* *on*usion in *rr*y op*r*tions (T*mpl*t****tIt*m/M*p**lp*r) *u* to prototyp* ***in si**-*****ts, *) Missin* int**rity ****ks in JIT *ompil*tion (`*n*o**r::*n*o**`), *n* *) Uns*** spr*** optimiz*tions. T** *ommit *

7.5

Basic Information

Concerned about an active attack path?

CVE-2016-7189: ChakraCore RCE Vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI