CVE-2023-29569

Vulnerability

Cesanta MJS v2.20.0 contains a segmentation fault (SEGV) vulnerability in the function ffi_cb_impl_wpwwwww located in src/mjs_ffi.c at line 456. The bug is triggered when the MJS interpreter executes a specially crafted JavaScript file, causing a write access to an invalid memory address, leading to a crash. The affected versions are named v2.20.0 [1][2].

Exploitation

An attacker can exploit this vulnerability by providing a malicious JavaScript file (e.g., poc4.js) to the MJS interpreter. No authentication or special network position is required; the victim only needs to run the MJS binary with the attacker-supplied script. The crash occurs during the execution of the script via mjs_exec_internal and mjs_exec_file, culminating in ffi_cb_impl_wpwwwww [1][2].

Impact

Successful exploitation results in a denial of service (DoS) as the MJS process terminates abnormally due to a segmentation violation. There is no indication of code execution or information disclosure; the impact is limited to service interruption [1][2].

Mitigation

As of the publication date (2023-04-14), no official fix has been released for CVE-2023-29569. Users should monitor the Cesanta MJS repository for patches or updates. No workaround is disclosed in the available references [1][2].