-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stems from improper handling of implicit call flags during property updates in the RegExp constructor. The patch adds 'AddImplicitCallFlags(ImplicitCall_Accessor)' to ensure type system consistency when modifying 'lastInput' property. This indicates the vulnerable code path was in the property setter logic for RegExp input properties, where missing implicit call flags allowed JIT to make unsafe optimizations. The direct correlation between the CWE-787 (out-of-bounds write) and the type confusion vulnerability pattern, combined with the specific code modification shown in the commit diff, provides high confidence in this assessment.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| Microsoft.ChakraCore | nuget | < 1.11.8 | 1.11.8 |