CVE-2024-43357

JavaScript specification issue may lead to type confusion and pointer dereference in implementations

Severity Score

8.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

MITRE

ECMA-262 is the language specification for the scripting language ECMAScript. A problem in the ECMAScript (JavaScript) specification of async generators, introduced by a May 2021 spec refactor, may lead to mis-implementation in a way that could present as a security vulnerability, such as type confusion and pointer dereference.

The internal async generator machinery calls regular promise resolver functions on IteratorResult (`{ done, value }`) objects that it creates, assuming that the IteratorResult objects will not be then-ables. Unfortunately, these IteratorResult objects inherit from `Object.prototype`, so these IteratorResult objects can be made then-able, triggering arbitrary behaviour, including re-entering the async generator machinery in a way that violates some internal invariants.

The ECMAScript specification is a living standard and the issue has been addressed at the time of this advisory's public disclosure. JavaScript engine implementors should refer to the latest specification and update their implementations to comply with the `AsyncGenerator` section.

## References

- https://github.com/tc39/ecma262/commit/1e24a286d0a327d08e1154926b3ee79820232727
- https://bugzilla.mozilla.org/show_bug.cgi?id=1901411
- https://github.com/boa-dev/boa/security/advisories/GHSA-f67q-wr6w-23jq
- https://bugs.webkit.org/show_bug.cgi?id=275407
- https://issues.chromium.org/issues/346692561
- https://www.cve.org/CVERecord?id=CVE-2024-7652

*Credits: N/A

CVSS Scores

GitHubv3.1 8.6

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-08-09 CVE Reserved
2024-08-15 CVE Published
2024-08-15 CVE Updated
2024-08-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-248: Uncaught Exception
CWE-476: NULL Pointer Dereference
CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')

CAPEC

References (10)

URL	Tag	Source
https://github.com/tc39/ecma262/security/advisories/GHSA-g38c-wh3c-5h9r	X_refsource_confirm
https://github.com/boa-dev/boa/security/advisories/GHSA-f67q-wr6w-23jq	X_refsource_misc
https://github.com/tc39/ecma262/pull/2413	X_refsource_misc
https://github.com/tc39/ecma262/commit/1e24a286d0a327d08e1154926b3ee79820232727	X_refsource_misc
https://github.com/tc39/ecma262/commit/4cb5a6980e20be76c648f113c4cc762342172df3	X_refsource_misc
https://bugs.webkit.org/show_bug.cgi?id=275407	X_refsource_misc
https://bugzilla.mozilla.org/show_bug.cgi?id=1901411	X_refsource_misc
https://issues.chromium.org/issues/346692561	X_refsource_misc
https://tc39.es/ecma262/#sec-asyncgenerator-objects	X_refsource_misc
https://www.cve.org/CVERecord?id=CVE-2024-7652	X_refsource_misc

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
-		-				-		-		-