CVE-2023-49549

Vulnerability

A segmentation fault vulnerability exists in Cesanta mjs version 2.20.0 (commit b1b6eac) in the mjs_getretvalpos function within mjs.c. The issue can be triggered by executing a crafted JavaScript payload that includes specific syntax such as let declarations with comma operators and a malformed string concatenation pattern. The vulnerability is reachable without any special configuration beyond running the mjs interpreter on the provided proof-of-concept script.

Exploitation

An attacker with the ability to supply arbitrary JavaScript code to an mjs interpreter can trigger the vulnerability. The provided proof-of-concept involves a JavaScript snippet that declares multiple variables using let with comma operators, followed by complex nested expressions including JSON.parse and JSON.stringify calls. Executing this script on mjs version 2.20.0 leads to memory access violation during mjs_getretvalpos processing, causing a denial of service via segmentation fault.

Impact

Successful exploitation results in a denial of service (DoS) through a segmentation violation, causing the mjs interpreter to crash. The crash is confirmed by AddressSanitizer output showing a SEGV signal during a read memory access. The impact is limited to availability (DoS) as the vulnerability leads to process termination; there is no evidence of other impacts such as information disclosure or remote code execution from the available references.

Mitigation

As of the publication date (2024-01-02), no patched version of Cesanta mjs has been released to fix this vulnerability. The issue was reported in the project's issue tracker [1] but no fix commit or updated version is available. Users are advised to monitor the repository for future updates. Until a fix is available, avoid running untrusted JavaScript code with mjs version 2.20.0.