CVE-2021-36535

Vulnerability

A heap-buffer overflow vulnerability exists in Cesanta mJS version 1.26 in the function mjs_set_errorf at mjs.c:7617. The overflow is triggered during the parsing of a maliciously crafted JavaScript file, specifically through the call chain starting at parse_literal (mjs.c:12166). The vulnerability is a read of 8 bytes from a wild pointer, leading to a crash. Affected versions: Cesanta mJS 1.26.

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted .js file to the mjs interpreter (e.g., via the command ./mjs -f malicious.js). No authentication or special privileges are required; the attacker only needs the ability to supply the file for parsing. The crash occurs during the parsing phase without user interaction beyond executing the interpreter.

Impact

Successful exploitation causes a heap-buffer-overflow, resulting in a denial of service (DoS) as the application terminates abnormally. The AddressSanitizer report confirms a read of size 8 at an invalid heap address. No code execution or data exfiltration is indicated; the impact is limited to availability.

Mitigation

As of the available references [1], no patch or fixed version has been released for this issue. Users of Cesanta mJS 1.26 should avoid processing untrusted JavaScript files. No workarounds are provided. The project's repository may have subsequent fixes, but this is not confirmed. If no update is possible, consider using an alternative JavaScript engine.