CVE-2024-35384
Description
An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_array_length function in the mjs.c file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A segmentation fault in Cesanta mjs 2.20.0 allows remote denial of service via crafted input to mjs_array_length.
Vulnerability
Cesanta mjs version 2.20.0 (commit b1b6eac) contains a segmentation fault vulnerability in the mjs_array_length function in mjs.c at line 6929. The flaw is triggered when a crafted JavaScript file with specially malformed object properties is parsed, causing the interpreter to crash. No special configuration is required beyond running the interpreter on the attacker-supplied script.
Exploitation
An attacker can remotely trigger the vulnerability by providing a malicious script such as the proof-of-concept (PoC) described in [1]. The attacker needs to convince the target to execute the script using the mjs-asan binary. The PoC file contains repeated property definitions and special characters, which when processed lead to a null pointer dereference or invalid memory access in mjs_array_length [1].
Impact
Successful exploitation results in a segmentation fault, leading to a denial of service condition. The crash terminates the mjs process, causing the software to stop responding for the duration of the script [1]. No code execution or privilege escalation is described.
Mitigation
As of the published report, no fix has been released. Users should avoid processing untrusted JavaScript files with mjs 2.20.0. Upgrading to a patched version when available is recommended [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Cesanta/mjsdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.