CVE-2024-35385

Vulnerability

A segmentation fault vulnerability exists in Cesanta mjs version 2.20.0 (commit b1b6eac) within the mjs_mk_ffi_sig function in mjs.c [1]. The flaw is reachable when the engine parses a specially crafted JavaScript object literal containing malformed FFI type signatures, as demonstrated by the proof-of-concept (PoC) provided in the issue [1].

Exploitation

An attacker can exploit this vulnerability without authentication by crafting a JavaScript file that includes an object with a property value containing a malformed FFI definition (e.g., ffi-= 44.1111 and a final string with unprintable characters). Executing this script using the mjs interpreter (compiled with AddressSanitizer, but also reproducible without) triggers a segmentation fault in mjs_mk_ffi_sig due to an invalid memory read [1]. The PoC shows the crash occurs during the execution of mjs_exec_file [1].

Impact

Successful exploitation causes a segmentation fault, leading to a denial of service (DoS) condition by crashing the mjs interpreter. The crash is a read access violation, as confirmed by AddressSanitizer output (READ memory access) [1]. No further compromise beyond DoS is indicated in the available references.

Mitigation

As of the latest reference [1] (published 2024-05-21), no fix has been released by Cesanta for this vulnerability in mjs 2.20.0. Users should consider avoiding the use of untrusted JavaScript input with this version and monitor the project for a future patch.