JavaFX WebEngine does not properly restrict Java method execution


JavaFX, GUI library for Java applications, is provided with OracleJDK 7 through 10.
Since OracleJDK 11, JavaFX is separately maintained and developed by OpenJFX project under OpenJDK community.

JavaFX WebEngine component is capable of web content rendering, and possible to be configured to allow JavaScript code to execute Java methods.
WebEngine component does not properly restrict Java methods execution(CWE-470).
This vulnerability is similar to CVE-2012-6636 of Android WebView component.

ICHIHARA Ryohei of DMM.com LLC reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

OpenJFX Project
  • JavaFX versions prior to 14.0.1
Oracle Corporation
  • JDK 8 versions prior to update 251


When a JavaFX application renders crafted web contents, an arbitrary Java code may be executed with the application's privilege.

[Update the software]
JavaFX application developers should update their applications with the latest version of JavaFX library.
JavaFX application users should update their Java execution environment to the latest version.

JavaFX library in OracleJDK 8u251 and JavaFX 14.0.1 restrict a number of Java methods callable from JavaScript code.
Please refer to release notes for details.
Vendor Information

OpenJFX Project Oracle Corporation
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)


  1. JVN : JVN#62161191
Revision History

  • [2020/07/28]
      Web page was published