CVE-2024-43367
CVSS 3.1 Score 7.5 of 10 (high)
Details
Summary
CVE-2024-43367 is a vulnerability affecting the Boa Javascript engine, specifically versions between 0.16 and 0.18.99. Boa, an embeddable and experimental Rust-written engine, contains a flaw in its handling of ECMAScript's `AsyncGenerator` operations. The engine assumes that the state of an `AsyncGenerator` object remains constant during the resolution of promises created by its methods like `next`, `return`, or `throw`. However, a crafted script can cause a state transition from a getter method for the promise's `then` property, leading to an uncaught exception and potential Denial of Service (DoS) attacks against applications processing arbitrary ECMAScript code from external users. The issue is resolved in version 0.19.0. Users on older versions can mitigate the risk by implementing `std::panic::catch_unwind` to contain any exceptions caused by the engine, preserving application availability.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.