CVE-2024-35386

Vulnerability

A denial-of-service vulnerability exists in Cesanta mjs version 2.20.0 (commit b1b6eac). The issue is a segmentation fault triggered in the mjs_do_gc function within mjs.c when processing a specially crafted JavaScript expression gc(3+gc)(gc ). This occurs during garbage collection when the interpreter attempted to gc as a callable, leading to a NULL dereference [1].

Exploitation

An attacker can exploit this vulnerability remotely by providing the malicious JavaScript payload to the mjs interpreter. No authentication is required. The attacker must supply the crafted script as input (e.g., via a file passed with the -f flag). The sequence involves the mjs parser creating a call expression where gc is treated as a function, invoking it after the gc(3+gc) expression, which sets up invalid internal state that causes a READ access to address 0x0 when mjs_do_gc is called during mjs_execute [1].

Impact

Successful exploitation results in a segmentation fault (denial of service). The interpreter crashes, terminating any service or application that uses mjs to execute untrusted scripts. The CIA impact is limited to availability; there is no information disclosure or code execution from the crash [1].

Mitigation

As of the available references, no patch has been released. The vulnerability is present in commit b1b6eac (tag 2.20.0). Users should avoid processing untrusted JavaScript input with this version of mjs until a fix is provided. The issue has been reported in the project’s GitHub repository [1].