CVE-2024-13903

A vulnerability was found in quickjs-ng QuickJS up to 0.8.0. It has been declared as problematic. Affected by this vulnerability is the function JS_GetRuntime of the file quickjs.c of the component qjs. The manipulation leads to stack-based buffer overflow. The attack can be launched remotely. Upgrading to version 0.9.0 is able to address this issue. The patch is named 99c02eb45170775a9a679c32b45dd4000ea67aff. It is recommended to upgrade the affected component.

CVSS v3 4.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://github.com/quickjs-ng/quickjs/commit/99c02eb45170775a9a679c32b45dd4000ea67aff	Patch
https://github.com/quickjs-ng/quickjs/issues/775	Exploit Issue Tracking
https://github.com/quickjs-ng/quickjs/releases/tag/v0.9.0	Release Notes
https://vuldb.com/?ctiid.300571	Permissions Required VDB Entry
https://vuldb.com/?id.300571	Third Party Advisory VDB Entry
https://vuldb.com/?submit.517394	Exploit Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:quickjs-ng:quickjs:*:*:*:*:*:*:*:*

History

24 Mar 2025, 14:36

Type	Values Removed	Values Added
References	~~() https://github.com/quickjs-ng/quickjs/commit/99c02eb45170775a9a679c32b45dd4000ea67aff -~~	() https://github.com/quickjs-ng/quickjs/commit/99c02eb45170775a9a679c32b45dd4000ea67aff - Patch
References	~~() https://github.com/quickjs-ng/quickjs/issues/775 -~~	() https://github.com/quickjs-ng/quickjs/issues/775 - Exploit, Issue Tracking
References	~~() https://github.com/quickjs-ng/quickjs/releases/tag/v0.9.0 -~~	() https://github.com/quickjs-ng/quickjs/releases/tag/v0.9.0 - Release Notes
References	~~() https://vuldb.com/?ctiid.300571 -~~	() https://vuldb.com/?ctiid.300571 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.300571 -~~	() https://vuldb.com/?id.300571 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.517394 -~~	() https://vuldb.com/?submit.517394 - Exploit, Third Party Advisory, VDB Entry
CPE		cpe:2.3:a:quickjs-ng:quickjs::::::::
CWE		CWE-787
Summary		(es) Se encontró una vulnerabilidad en quickjs-ng (QuickJS hasta la versión 0.8.0). Se ha declarado problemática. Esta vulnerabilidad afecta a la función JS_GetRuntime del archivo quickjs.c del componente qjs. La manipulación provoca un desbordamiento del búfer en la pila. El ataque puede ejecutarse remotamente. Actualizar a la versión 0.9.0 puede solucionar este problema. El parche se llama 99c02eb45170775a9a679c32b45dd4000ea67aff. Se recomienda actualizar el componente afectado.
First Time		Quickjs-ng Quickjs-ng quickjs

21 Mar 2025, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-21 07:15

Updated : 2025-03-24 14:36

NVD link : CVE-2024-13903

Mitre link : CVE-2024-13903

CVE.ORG link : CVE-2024-13903

JSON object : View

Products Affected

quickjs-ng

quickjs

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-121

Stack-based Buffer Overflow

CWE-787

Out-of-bounds Write

4.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2024-13903

4.3^/10

5.0^/10

Attach tags to `CVE-2024-13903`