CVE-2024-13903
Published: 21 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2024-13903 is a stack-based buffer overflow vulnerability affecting the quickjs-ng QuickJS JavaScript engine in versions up to 0.9.0. The issue resides in the JS_GetRuntime function within the quickjs.c file of the qjs component. Manipulation of this function triggers the overflow, as classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-121 (Stack-based Buffer Overflow), and CWE-787 (Out-of-bounds Write). The vulnerability carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L), indicating moderate severity primarily impacting availability.
The vulnerability can be exploited remotely by unauthenticated attackers over a network with low complexity, but it requires user interaction to trigger. Successful exploitation results in limited denial-of-service effects, such as application crashes due to the stack overflow, with no impact on confidentiality or integrity.
Mitigation is addressed by upgrading to QuickJS version 0.9.0, which includes the fixing commit 99c02eb45170775a9a679c32b45dd4000ea67aff. Additional details are available in the project's GitHub issue #775 and release notes for v0.9.0.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stack-based buffer overflow in QuickJS qjs component enables remote denial of service via crafted JavaScript input causing application crash, facilitating T1499.004 (Application or System Exploitation).