CVE-2023-30087

Vulnerability

A heap buffer overflow vulnerability exists in Cesanta MJS version 1.26 (commit 9eae0e6) in the mjs_mk_string() function at mjs.c:13671. The bug is triggered when the interpreter parses a crafted JSON input via mjs_json_parse, leading to a read of 94 bytes beyond the allocated heap buffer. The code path is reachable when processing a malicious file with the mjs executable [1].

Exploitation

An attacker with local access can exploit this vulnerability by providing a specially crafted file to the mjs interpreter. No authentication is required beyond local user privileges. The steps involve downloading the proof-of-concept file, compiling mjs with AddressSanitizer (ASAN), and executing ./mjs_asan -f <poc_file>. The overflow occurs during JSON parsing, as demonstrated in the ASAN report [1].

Impact

Successful exploitation results in a heap buffer overflow, causing the mjs process to crash, leading to a denial of service (DoS). The reference does not indicate any possibility of code execution or privilege escalation; the impact is limited to application termination [1].

Mitigation

As of the publication date, no official fix has been released for this vulnerability. The issue is documented in the project's GitHub repository but no patch has been committed. Users are advised to avoid processing untrusted JSON input with MJS version 1.26. No workaround is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].