WebKit JavaScriptCore type confusion in for...in property enumeration
CVE-2021-1789 is a WebKit/JavaScriptCore remote code execution vulnerability affecting Safari and Apple platforms prior to the fixes in macOS Big Sur 11.2, Security Update 2021-001 Catalina, Security Update 2021-001 Mojave, tvOS 14.4, watchOS 7.3, iOS 14.4, iPadOS 14.4, and Safari 14.0.3. Apple described the issue as a type confusion addressed with improved state handling, and noted it may have been actively exploited in the wild. Public technical analysis ties the bug to JavaScriptCore handling of for...in enumeration via JSPropertyNameEnumerator. During enumeration, JavaScriptCore caches structure and property metadata from the base object, then walks the prototype chain. If that traversal passes through a Proxy object, a getPrototypeOf trap can mutate the enumerated object state. The implementation reportedly failed to validate the final structure/property state after those mutations, leaving stale cached structure information used by the JIT fast path for property access. This can produce out-of-bounds reads and, with heap manipulation, be transformed into a more powerful memory-corruption primitive enabling arbitrary code execution from malicious web content.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A WebKit logic issue that may allow remote arbitrary code execution; Apple reports it may have been actively exploited.
An out-of-bounds read vulnerability in WebKit/JavaScriptCore involving JSPropertyNameEnumerator during for...in enumeration, caused by failure to validate the final size/number of structure properties after prototype-chain iteration through a Proxy callback. The writeup describes exploitation toward out-of-bounds read and use-after-free on affected WebKit builds.
A WebKit vulnerability used by DazzleSpy to gain initial code execution on macOS via malicious websites in a watering hole attack.
A WebKit vulnerability in Safari (possibly CVE-2021-1789) that allows remote code execution via a complex JavaScript exploit, enabling attackers to gain memory read/write access and execute arbitrary code in the browser.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.