CVE-2023-49553

Vulnerability

A segmentation fault vulnerability exists in Cesanta mjs version 2.20.0 (commit b1b6eac). The crash occurs in the mjs_destroy function at mjs.c:7563 when mbuf_free(&mjs->json_visited_stack) is called. The issue is triggered by executing a malformed JavaScript program that appears to corrupt internal data structures, leading to a null or invalid pointer dereference during cleanup. The affected function is part of the core memory management of the mjs engine [1].

Exploitation

An attacker can trigger the vulnerability by providing a specially crafted JavaScript file to the mjs interpreter. The supplied proof-of-concept code (available in the reference) shows a malformed script that, when executed, causes a segmentation fault. The attacker does not need authentication or special privileges beyond the ability to supply the malicious input to the mjs engine. The crash is consistently reproducible using the provided steps on Ubuntu 18.04 with clang 12.0.1 [1].

Impact

Successful exploitation leads to a denial of service (DoS) through a segmentation fault, causing the mjs interpreter to terminate abnormally. The crash indicates a memory corruption or use-after-free condition, which could potentially be leveraged for more severe impacts, but the available information confirms only a crash. The CIA impact is limited to availability (partial loss) [1].

Mitigation

As of the published CVE date (2024-01-02), no official fix or patched version has been released by Cesanta for this issue. The repository issue [1] remains open, and the vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Users should consider limiting exposure by not processing untrusted JavaScript input with mjs until a fix is provided.