CVE-2024-43367

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Aug 15, 2024
Updated: Aug 19, 2024
CWE ID 248

Summary

CVE-2024-43367 is a vulnerability affecting the Boa Javascript engine, specifically versions between 0.16 and 0.18.99. Boa, an embeddable and experimental Rust-written engine, contains a flaw in its handling of ECMAScript's `AsyncGenerator` operations. The engine assumes that the state of an `AsyncGenerator` object remains constant during the resolution of promises created by its methods like `next`, `return`, or `throw`. However, a crafted script can cause a state transition from a getter method for the promise's `then` property, leading to an uncaught exception and potential Denial of Service (DoS) attacks against applications processing arbitrary ECMAScript code from external users. The issue is resolved in version 0.19.0. Users on older versions can mitigate the risk by implementing `std::panic::catch_unwind` to contain any exceptions caused by the engine, preserving application availability.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share