VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-rru7-kb7m-y3e9

Essentials
Severities (33)
References (24)
Severity details (23)
Exploits (3)
EPSS
History (1)

Vulnerability ID	VCID-rru7-kb7m-y3e9
Aliases	CVE-2019-5786 GHSA-c2gp-86p4-5935
Summary	Use-After-Free in puppeteer Versions of `puppeteer` prior to 1.13.0 are vulnerable to the Use-After-Free vulnerability in Chromium (CVE-2019-5786). The Chromium FileReader API is vulnerable to Use-After-Free which may lead to Remote Code Execution. ## Recommendation Upgrade to version 1.13.0 or later.
Status	Published
Exploitability	2.0
Weighted Severity	9.0
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-416	Use After Free
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	8.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5786.json
epss	0.89384	https://api.first.org/data/v1/epss?cve=CVE-2019-5786
epss	0.89384	https://api.first.org/data/v1/epss?cve=CVE-2019-5786
epss	0.89453	https://api.first.org/data/v1/epss?cve=CVE-2019-5786
epss	0.89453	https://api.first.org/data/v1/epss?cve=CVE-2019-5786
epss	0.8955	https://api.first.org/data/v1/epss?cve=CVE-2019-5786
epss	0.8955	https://api.first.org/data/v1/epss?cve=CVE-2019-5786
cvssv3.1	6.5	https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation
generic_textual	MODERATE	https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation
cvssv3.1	6.5	https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html
cvssv3.1	6.5	https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html
generic_textual	MODERATE	https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html
ssvc	Track	https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html
cvssv3.1	6.5	https://crbug.com/936448
cvssv3.1	6.5	https://crbug.com/936448
generic_textual	MODERATE	https://crbug.com/936448
ssvc	Track	https://crbug.com/936448
cvssv3	10.0	https://electronjs.org/blog/filereader-fix
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-c2gp-86p4-5935
cvssv3.1	6.5	https://github.com/GoogleChrome/puppeteer
generic_textual	MODERATE	https://github.com/GoogleChrome/puppeteer
cvssv3.1	6.5	https://github.com/GoogleChrome/puppeteer/issues/4141
generic_textual	MODERATE	https://github.com/GoogleChrome/puppeteer/issues/4141
cvssv3	10.0	https://github.com/nodejs/security-wg/blob/main/vuln/npm/495.json
cvssv3.1	6.5	https://nvd.nist.gov/vuln/detail/CVE-2019-5786
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2019-5786
archlinux	High	https://security.archlinux.org/AVG-916
cvssv3	10.0	https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html
cvssv3.1	6.5	https://snyk.io/vuln/SNYK-JS-PUPPETEER-174321
generic_textual	MODERATE	https://snyk.io/vuln/SNYK-JS-PUPPETEER-174321
cvssv3	10.0	https://www.cisecurity.org/advisory/a-vulnerability-in-google-chrome-could-allow-for-arbitrary-code-execution_2019-026/
cvssv3.1	6.5	https://www.npmjs.com/advisories/824
generic_textual	MODERATE	https://www.npmjs.com/advisories/824

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5786.json
		https://api.first.org/data/v1/epss?cve=CVE-2019-5786
		https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation
		https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html
		https://crbug.com/936448
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5786
		https://electronjs.org/blog/filereader-fix
		https://github.com/GoogleChrome/puppeteer
		https://github.com/GoogleChrome/puppeteer/issues/4141
		https://nvd.nist.gov/vuln/detail/CVE-2019-5786
		https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html
		https://snyk.io/vuln/SNYK-JS-PUPPETEER-174321
		https://www.cisecurity.org/advisory/a-vulnerability-in-google-chrome-could-allow-for-arbitrary-code-execution_2019-026/
		https://www.npmjs.com/advisories/824
1685162		https://bugzilla.redhat.com/show_bug.cgi?id=1685162
495		https://github.com/nodejs/security-wg/blob/main/vuln/npm/495.json
ASA-201903-1		https://security.archlinux.org/ASA-201903-1
AVG-916		https://security.archlinux.org/AVG-916
CVE-2019-5786	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/windows_x86/remote/46812.rb
CVE-2019-5786	Exploit	https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/chrome_filereader_uaf.rb
CVE-2019-5786-ANALYSIS-AND-EXPLOITATION		https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/
GHSA-c2gp-86p4-5935		https://github.com/advisories/GHSA-c2gp-86p4-5935
GLSA-201903-23		https://security.gentoo.org/glsa/201903-23
RHSA-2019:0481		https://access.redhat.com/errata/RHSA-2019:0481

Data source	Exploit-DB
Date added	May 8, 2019
Description	Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)
Ransomware campaign use	Known
Source publication date	May 8, 2019
Exploit type	remote
Platform	windows_x86
Source update date	May 8, 2019
Source URL	https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/browser/chrome_filereader_uaf.rb

Data source	KEV
Date added	May 23, 2022
Description	Google Chrome Blink contains a heap use-after-free vulnerability that allows an attacker to potentially perform out of bounds memory access via a crafted HTML page.
Required action	Apply updates per vendor instructions.
Due date	June 13, 2022
Note	https://nvd.nist.gov/vuln/detail/CVE-2019-5786
Ransomware campaign use	Unknown

Data source	Metasploit
Description	This exploit takes advantage of a use after free vulnerability in Google Chrome 72.0.3626.119 running on Windows 7 x86. The FileReader.readAsArrayBuffer function can return multiple references to the same ArrayBuffer object, which can be freed and overwritten with sprayed objects. The dangling ArrayBuffer reference can be used to access the sprayed objects, allowing arbitrary memory access from Javascript. This is used to write and execute shellcode in a WebAssembly object. The shellcode is executed within the Chrome sandbox, so you must explicitly disable the sandbox for the payload to be successful.
Note	Reliability: - unknown-reliability Stability: - unknown-stability SideEffects: - unknown-side-effects
Ransomware campaign use	Unknown
Source publication date	March 21, 2019
Platform	Windows
Source URL	https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/windows/browser/chrome_filereader_uaf.rb

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-5786.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:09:14Z/ Found at https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://crbug.com/936448

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://crbug.com/936448

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:A/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-11T14:09:14Z/ Found at https://crbug.com/936448

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://github.com/GoogleChrome/puppeteer

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://github.com/GoogleChrome/puppeteer/issues/4141

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-5786

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://snyk.io/vuln/SNYK-JS-PUPPETEER-174321

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://www.npmjs.com/advisories/824

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.99544
EPSS Score	0.89384
Published At	April 12, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:59:52.021179+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-c2gp-86p4-5935/GHSA-c2gp-86p4-5935.json	38.0.0