VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Apr 12, 2017· Updated May 13, 2026

CVE-2017-0208

CVE-2017-0208

Description

Microsoft Edge's Chakra engine mishandles objects in memory, allowing an attacker to obtain sensitive information via a crafted website.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Microsoft Edge's Chakra engine mishandles objects in memory, allowing an attacker to obtain sensitive information via a crafted website.

Vulnerability

An information disclosure vulnerability exists in Microsoft Edge (on Windows) when the Chakra scripting engine improperly handles objects in memory [1]. The issue is present in the JavascriptString::JavascriptString constructor where an integer overflow can occur when string.repeat is used, as seen in the fix commit [3]. Affected versions include Microsoft Edge prior to the April 2017 security update [1][2]. The vulnerability is known as “Scripting Engine Information Disclosure Vulnerability” [1].

Exploitation

An attacker would need to host a specially crafted website that triggers the memory handling flaw via the Chakra engine, then persuade a user to visit it (typically via a link or an embedded webview) [1][4]. No special authentication or network position beyond standard web access is required, as the exploit occurs in a web browsing context [4]. The user must load the malicious content for the vulnerability to be triggered [1][4].

Impact

Successful exploitation leads to information disclosure: the attacker could read sensitive data from the user's system that could further compromise the machine [1][4]. The vulnerability does not directly allow code execution but provides information that could be leveraged in additional attacks [4]. The privilege scope remains within the context of the browsing session, not a full system compromise.

Mitigation

Microsoft released a fix as part of the April 2017 security update (MS17-007) for Microsoft Edge. The fix addresses the integer overflow in JavascriptString handling [3]. Users should apply the update via Windows Update. For the ChakraCore standalone engine, the fix is included in version 1.11 onward, and security updates were provided until March 2021 [2]. No workaround is available; updating is the only remediation.

References
  1. NVD - CVE-2017-0208
  2. GitHub - chakra-core/ChakraCore: ChakraCore is an open source Javascript engine with a C API.
  3. [CVE-2017-0208] Fix integer overflow in string.repeat · chakra-core/ChakraCore@54d6d08
  4. Microsoft Edge Multiple Flaws Let Remote Users Bypass Security Restrictions, Obtain Potentially Sensitive Information, and Execute Arbitrary Code

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.ChakraCoreNuGet
< 1.4.31.4.3

Affected products

3

Patches

1
54d6d085987e

[CVE-2017-0208] Fix integer overflow in string.repeat

https://github.com/chakra-core/ChakraCoreSatheesh RavindranathFeb 27, 2017via ghsa
commit
4 files changed · +33 6
  • lib/Runtime/Library/JavascriptString.cpp+4 4 modified
    @@ -199,10 +199,10 @@ namespace Js
     }
 
     JavascriptString::JavascriptString(StaticType * type, charcount_t charLength, const char16* szValue)
-        : RecyclableObject(type), m_charLength(charLength), m_pszValue(szValue)
+        : RecyclableObject(type), m_pszValue(szValue)
     {
         Assert(type->GetTypeId() == TypeIds_String);
-        AssertMsg(IsValidCharCount(charLength), "String length is out of range");
+        SetLength(charLength);
     }
 
     _Ret_range_(m_charLength, m_charLength)
@@ -3353,7 +3353,7 @@ namespace Js
         return builder.ToString();
     }
 
-    int JavascriptString::IndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, int len, const char16* searchStr, int searchLen, int position)
+    int JavascriptString::IndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, charcount_t len, const char16* searchStr, int searchLen, int position)
     {
         int result = -1;
 
@@ -3400,7 +3400,7 @@ namespace Js
         return result;
     }
 
-    int JavascriptString::LastIndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, int len, const char16* searchStr, int searchLen, int position)
+    int JavascriptString::LastIndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, charcount_t len, const char16* searchStr, charcount_t searchLen, charcount_t position)
     {
         const char16 searchFirst = searchStr[0];
         uint32 lMatchedJump = searchLen;
  • lib/Runtime/Library/JavascriptString.h+2 2 modified
    @@ -157,8 +157,8 @@ namespace Js
         char16* GetSzCopy();   // get a copy of the inner string without compacting the chunks
 
         static Var ToCaseCore(JavascriptString* pThis, ToCase toCase);
-        static int IndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, int len, const char16* searchStr, int searchLen, int position);
-        static int LastIndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, int len, const char16* searchStr, int searchLen, int position);
+        static int IndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, charcount_t len, const char16* searchStr, int searchLen, int position);
+        static int LastIndexOfUsingJmpTable(JmpTable jmpTable, const char16* inputStr, charcount_t len, const char16* searchStr, charcount_t searchLen, charcount_t position);
         static bool BuildLastCharForwardBoyerMooreTable(JmpTable jmpTable, const char16* searchStr, int searchLen);
         static bool BuildFirstCharBackwardBoyerMooreTable(JmpTable jmpTable, const char16* searchStr, int searchLen);
         static charcount_t ConvertToIndex(Var varIndex, ScriptContext *scriptContext);
  • test/Strings/repeatBug.js+21 0 added
    @@ -0,0 +1,21 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+
+try
+{
+    var str = "+".repeat(0x80000000);
+    str = str.replace(str, "+");
+
+  	WScript.Echo("FAIL: Was expecting Out of Memory exception.");
+}
+catch (e)
+{
+  if(e.number == -2146828281) //Out of Memory
+    WScript.Echo("PASS");
+  else
+    WScript.Echo("FAIL: Got the wrong exception code.");
+}
+
+
  • test/Strings/rlexe.xml+6 0 modified
    @@ -242,4 +242,10 @@
       <tags>exclude_win7</tags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>repeatBug.js</files>
+      <tags>exclude_chk, Slow</tags>
+    </default>
+  </test> 
 </regress-exe>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.