CVE-2024-43367 – Boa has an uncaught exception when transitioning the state of `AsyncGenerator` objects

https://notcve.org/view.php?id=CVE-2024-43367

Boa is an embeddable and experimental Javascript engine written in Rust. Starting in version 0.16 and prior to version 0.19.0, a wrong assumption made when handling ECMAScript's `AsyncGenerator` operations can cause an uncaught exception on certain scripts. Boa's implementation of `AsyncGenerator` makes the assumption that the state of an `AsyncGenerator` object cannot change while resolving a promise created by methods of `AsyncGenerator` such as `%AsyncGeneratorPrototype%.next`, `%AsyncGeneratorPrototype%.return`, or `%AsyncGeneratorPrototype%.throw`. However, a carefully constructed code could trigger a state transition from a getter method for the promise's `then` property, which causes the engine to fail an assertion of this assumption, causing an uncaught exception. This could be used to create a Denial Of Service attack in applications that run arbitrary ECMAScript code provided by an external user. • https://github.com/boa-dev/boa/security/advisories/GHSA-f67q-wr6w-23jq https://github.com/tc39/ecma262/security/advisories/GHSA-g38c-wh3c-5h9r https://github.com/boa-dev/boa/commit/69ea2f52ed976934bff588d6b566bae01be313f7 • CWE-248: Uncaught Exception •